스킬 wp-playground 감사 이력
📦

감사 이력

wp-playground - 6 감사

감사 버전 6

최신 중간 위험

Jun 29, 2026, 03:17 AM

Static high-severity weak-cryptography alerts were false positives on ordinary WordPress text fields and descriptions. The skill is legitimate WordPress Playground guidance, but it has medium operational risk because it instructs users to run npx commands, enable Playground networking, mount local directories, and use blueprint steps that can execute PHP or WP-CLI.

3
스캔된 파일
519
분석된 줄 수
11
발견 사항
codex
감사자
중간 위험 문제 (3)
External CLI Commands and Local Mounts
The skill documents npx-based WordPress Playground commands and local directory mounts. This is legitimate tooling, but users should review commands before running them because npx may download packages and mounts expose local project files to the Playground server.
Code-Capable Playground Blueprint Steps
The skill documents runPHP, wp-cli, and writeFile blueprint steps, and the base blueprint includes a static runPHP step. These capabilities are expected for WordPress Playground but could be risky if users import untrusted blueprints.
Network-Enabled Playground Blueprints
The bundled blueprints enable Playground networking and install plugins or themes from WordPress.org. This is normal for WordPress testing, but it creates external network dependency and supply-chain exposure.
낮은 위험 문제 (4)
Static Weak-Cryptography Alerts Are False Positives
The flagged weak-cryptography locations are WordPress descriptions, schema references, or site option text. I found no hash algorithm, cipher selection, credential handling, or cryptographic operation at these lines.
Documented Hidden Directory Path
The hidden home-directory path points to the expected local Claude skills folder for blueprint templates. It is a filesystem reference, but I found no instruction to read secrets or exfiltrate hidden files.
Email Capability Alert Is a False Positive
The email-related static alert appears in a comparison table saying Playground has no email support and Docker may support SMTP. No email sending code or credential handling was found.
Hardcoded URL Alerts Are Expected Documentation
The hardcoded URLs point to the official WordPress Playground site, the Playground blueprint schema, WordPress resources, or a generic example blueprint URL. I found no evidence that these URLs exfiltrate data or contact an unrelated service.

감지된 패턴

npx Package ExecutionBlueprint Code Execution StepsLocal Directory Mounting

감사 버전 5

안전

Jan 16, 2026, 10:36 PM

This skill contains only documentation and JSON blueprint configuration files. No executable code exists. All 69 static findings are false positives: URL encoding patterns (%postname%) were misidentified as weak crypto algorithms, markdown code fences (```) were misidentified as shell backticks, and legitimate URLs to WordPress services were flagged as hardcoded URLs. The skill is purely declarative documentation for WordPress Playground environments.

4
스캔된 파일
710
분석된 줄 수
3
발견 사항
claude
감사자
보안 문제가 발견되지 않았습니다

감사 버전 4

안전

Jan 16, 2026, 10:36 PM

This skill contains only documentation and JSON blueprint configuration files. No executable code exists. All 69 static findings are false positives: URL encoding patterns (%postname%) were misidentified as weak crypto algorithms, markdown code fences (```) were misidentified as shell backticks, and legitimate URLs to WordPress services were flagged as hardcoded URLs. The skill is purely declarative documentation for WordPress Playground environments.

4
스캔된 파일
710
분석된 줄 수
3
발견 사항
claude
감사자
보안 문제가 발견되지 않았습니다

감사 버전 3

안전

Jan 10, 2026, 01:03 PM

This skill contains only documentation and JSON blueprint configuration files. No executable code, no network requests, no file system access, and no command execution capabilities. The blueprints are declarative configurations for WordPress Playground that define plugin/theme installations and site settings. All content matches the stated purpose of providing WordPress testing environments.

3
스캔된 파일
518
분석된 줄 수
0
발견 사항
claude
감사자
보안 문제가 발견되지 않았습니다

감사 버전 2

안전

Jan 10, 2026, 01:03 PM

This skill contains only documentation and JSON blueprint configuration files. No executable code, no network requests, no file system access, and no command execution capabilities. The blueprints are declarative configurations for WordPress Playground that define plugin/theme installations and site settings. All content matches the stated purpose of providing WordPress testing environments.

3
스캔된 파일
518
분석된 줄 수
0
발견 사항
claude
감사자
보안 문제가 발견되지 않았습니다

감사 버전 1

안전

Jan 10, 2026, 01:03 PM

This skill contains only documentation and JSON blueprint configuration files. No executable code, no network requests, no file system access, and no command execution capabilities. The blueprints are declarative configurations for WordPress Playground that define plugin/theme installations and site settings. All content matches the stated purpose of providing WordPress testing environments.

3
스캔된 파일
518
분석된 줄 수
0
발견 사항
claude
감사자
보안 문제가 발견되지 않았습니다