wordpress-block-editor-fse
skills-sh:bobmatnyc_claude-mpm-skills__wordpress-block-editor-fse
View sourceFirst Seen
Feb 18, 2026
Last Scanned
Feb 20, 2026
Findings
18
Score
0/100
Findings (18)
Hidden HTML comment contains action verbs
<!-- wp:post-title {"level":1} /-->
Remove hidden text (e.g., HTML comments with directives, zero-width characters, white-on-white text). All content should be visible and explicit in the skill definition.
Likely FP if the match is a standard HTML comment used for code documentation, or base64 content used for legitimate data encoding (e.g., images).
Hidden HTML comment contains action verbs
<!-- wp:post-featured-image /-->
Remove hidden text (e.g., HTML comments with directives, zero-width characters, white-on-white text). All content should be visible and explicit in the skill definition.
Likely FP if the match is a standard HTML comment used for code documentation, or base64 content used for legitimate data encoding (e.g., images).
Hidden HTML comment contains action verbs
<!-- wp:post-content /-->
Remove hidden text (e.g., HTML comments with directives, zero-width characters, white-on-white text). All content should be visible and explicit in the skill definition.
Likely FP if the match is a standard HTML comment used for code documentation, or base64 content used for legitimate data encoding (e.g., images).
Hidden HTML comment contains action verbs
<!-- wp:post-date /-->
Remove hidden text (e.g., HTML comments with directives, zero-width characters, white-on-white text). All content should be visible and explicit in the skill definition.
Likely FP if the match is a standard HTML comment used for code documentation, or base64 content used for legitimate data encoding (e.g., images).
Hidden HTML comment contains action verbs
<!-- wp:query {"queryId":1,"query":{"perPage":10,"postType":"post"}} -->
Remove hidden text (e.g., HTML comments with directives, zero-width characters, white-on-white text). All content should be visible and explicit in the skill definition.
Likely FP if the match is a standard HTML comment used for code documentation, or base64 content used for legitimate data encoding (e.g., images).
Hidden HTML comment contains action verbs
<!-- wp:post-template {"layout":{"type":"grid","columnCount":3}} -->
Remove hidden text (e.g., HTML comments with directives, zero-width characters, white-on-white text). All content should be visible and explicit in the skill definition.
Likely FP if the match is a standard HTML comment used for code documentation, or base64 content used for legitimate data encoding (e.g., images).
Hidden HTML comment contains action verbs
<!-- wp:post-featured-image {"isLink":true} /-->
Remove hidden text (e.g., HTML comments with directives, zero-width characters, white-on-white text). All content should be visible and explicit in the skill definition.
Likely FP if the match is a standard HTML comment used for code documentation, or base64 content used for legitimate data encoding (e.g., images).
Hidden HTML comment contains action verbs
<!-- wp:post-title {"isLink":true} /-->
Remove hidden text (e.g., HTML comments with directives, zero-width characters, white-on-white text). All content should be visible and explicit in the skill definition.
Likely FP if the match is a standard HTML comment used for code documentation, or base64 content used for legitimate data encoding (e.g., images).
Hidden HTML comment contains action verbs
<!-- wp:post-excerpt /-->
Remove hidden text (e.g., HTML comments with directives, zero-width characters, white-on-white text). All content should be visible and explicit in the skill definition.
Likely FP if the match is a standard HTML comment used for code documentation, or base64 content used for legitimate data encoding (e.g., images).
Hidden HTML comment contains action verbs
<!-- /wp:post-template -->
Remove hidden text (e.g., HTML comments with directives, zero-width characters, white-on-white text). All content should be visible and explicit in the skill definition.
Likely FP if the match is a standard HTML comment used for code documentation, or base64 content used for legitimate data encoding (e.g., images).
Hidden HTML comment contains action verbs
<!-- wp:post-title /-->
Remove hidden text (e.g., HTML comments with directives, zero-width characters, white-on-white text). All content should be visible and explicit in the skill definition.
Likely FP if the match is a standard HTML comment used for code documentation, or base64 content used for legitimate data encoding (e.g., images).
Hidden HTML comment contains action verbs
<!-- wp:post-content /-->
Remove hidden text (e.g., HTML comments with directives, zero-width characters, white-on-white text). All content should be visible and explicit in the skill definition.
Likely FP if the match is a standard HTML comment used for code documentation, or base64 content used for legitimate data encoding (e.g., images).
Hidden HTML comment contains action verbs
<!-- wp:post-featured-image /-->
Remove hidden text (e.g., HTML comments with directives, zero-width characters, white-on-white text). All content should be visible and explicit in the skill definition.
Likely FP if the match is a standard HTML comment used for code documentation, or base64 content used for legitimate data encoding (e.g., images).
Hidden HTML comment contains action verbs
<!-- wp:post-date /-->
Remove hidden text (e.g., HTML comments with directives, zero-width characters, white-on-white text). All content should be visible and explicit in the skill definition.
Likely FP if the match is a standard HTML comment used for code documentation, or base64 content used for legitimate data encoding (e.g., images).
Detects outbound connections to non-standard ports
http://localhost:8888Restrict network connections to standard ports (80, 443) and explicitly allowlisted service ports. Block connections to unusual ports that could indicate covert channels.
Likely FP if the non-standard port is localhost (127.0.0.1) used for local development servers (e.g., port 3000, 8080, 5432 for a local database).
Detects npx executing packages from unverified sources without pinned versions
npx @wordpress/env Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.
Detects npx executing packages from unverified sources without pinned versions
npx @wordpress/env Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.
Detects npx executing packages from unverified sources without pinned versions
npx @wordpress/env Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.
Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.