Production-grade WordPress operations toolkit for AI coding agents — default-safe wp-cli + REST + scoped filesystem, opt-in companion plugin for execute-php + runtime introspection. MIT, rolepod ecosystem.
Drift inferred · capture-to-capture
No drift recorded — single capability capture; advisories appear once its surface changes.
transport stdio · http counts 0 tools · 0 res
· 0 prompts
permission surface via code analysis
no tools enumerated yet for this server.
prompt-surface
shipped agent-instruction files + hidden-content / dangerous-code findings —
quoted from the analyzed source
analyzed commit 7fde6b0 · analyzer v17 · 2d ago
skills & prompt files 28
- skillnuttaruj-rolepod-wplab-7fde6b0/plugins/rolepod-wplab/skills/wp-changes/SKILL.md
- skillnuttaruj-rolepod-wplab-7fde6b0/plugins/rolepod-wplab/skills/wp-connect/SKILL.md
- skillnuttaruj-rolepod-wplab-7fde6b0/plugins/rolepod-wplab/skills/wp-content/SKILL.md
- skillnuttaruj-rolepod-wplab-7fde6b0/plugins/rolepod-wplab/skills/wp-diagnose/SKILL.md
- skillnuttaruj-rolepod-wplab-7fde6b0/plugins/rolepod-wplab/skills/wp-edit-design/SKILL.md
- skillnuttaruj-rolepod-wplab-7fde6b0/plugins/rolepod-wplab/skills/wp-edit-plugin/SKILL.md
- skillnuttaruj-rolepod-wplab-7fde6b0/plugins/rolepod-wplab/skills/wp-edit-theme/SKILL.md
- skillnuttaruj-rolepod-wplab-7fde6b0/plugins/rolepod-wplab/skills/wp-execute-php/SKILL.md
- skillnuttaruj-rolepod-wplab-7fde6b0/plugins/rolepod-wplab/skills/wp-full/SKILL.md
- skillnuttaruj-rolepod-wplab-7fde6b0/plugins/rolepod-wplab/skills/wp-health-check/SKILL.md
- skillnuttaruj-rolepod-wplab-7fde6b0/plugins/rolepod-wplab/skills/wp-introspect/SKILL.md
- skillnuttaruj-rolepod-wplab-7fde6b0/plugins/rolepod-wplab/skills/wp-migrate/SKILL.md
- skillnuttaruj-rolepod-wplab-7fde6b0/plugins/rolepod-wplab/skills/wp-pair-setup/SKILL.md
- skillnuttaruj-rolepod-wplab-7fde6b0/plugins/rolepod-wplab/skills/wp-scaffold/SKILL.md
- skillnuttaruj-rolepod-wplab-7fde6b0/skills/wp-changes/SKILL.md
- skillnuttaruj-rolepod-wplab-7fde6b0/skills/wp-connect/SKILL.md
- skillnuttaruj-rolepod-wplab-7fde6b0/skills/wp-content/SKILL.md
- skillnuttaruj-rolepod-wplab-7fde6b0/skills/wp-diagnose/SKILL.md
- skillnuttaruj-rolepod-wplab-7fde6b0/skills/wp-edit-design/SKILL.md
- skillnuttaruj-rolepod-wplab-7fde6b0/skills/wp-edit-plugin/SKILL.md
- skillnuttaruj-rolepod-wplab-7fde6b0/skills/wp-edit-theme/SKILL.md
- skillnuttaruj-rolepod-wplab-7fde6b0/skills/wp-execute-php/SKILL.md
- skillnuttaruj-rolepod-wplab-7fde6b0/skills/wp-full/SKILL.md
- skillnuttaruj-rolepod-wplab-7fde6b0/skills/wp-health-check/SKILL.md
- skillnuttaruj-rolepod-wplab-7fde6b0/skills/wp-introspect/SKILL.md
- skillnuttaruj-rolepod-wplab-7fde6b0/skills/wp-migrate/SKILL.md
- skillnuttaruj-rolepod-wplab-7fde6b0/skills/wp-pair-setup/SKILL.md
- skillnuttaruj-rolepod-wplab-7fde6b0/skills/wp-scaffold/SKILL.md
evidence-backed
findings quoted directly from the published source artifact — not inferred
filesystem 23
- fs nuttaruj-rolepod-wplab-7fde6b0/src/bin/init.ts :1
import { existsSync } from "node:fs"; - fs nuttaruj-rolepod-wplab-7fde6b0/src/bin/memory.ts :1
import { writeFileSync } from "node:fs"; - fs nuttaruj-rolepod-wplab-7fde6b0/src/bin/replay.ts :1
import { readFileSync } from "node:fs"; - fs nuttaruj-rolepod-wplab-7fde6b0/src/credentials/FileVault.ts :8
} from "node:fs/promises"; - fs nuttaruj-rolepod-wplab-7fde6b0/src/credentials/KeychainVault.ts :2
import { readFile, writeFile, mkdir, chmod, access } from "node:fs/promises"; - fs nuttaruj-rolepod-wplab-7fde6b0/src/lib/rolepodEvidence.ts :26
import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs"; - fs nuttaruj-rolepod-wplab-7fde6b0/src/lib/targetAliases.ts :25
} from "node:fs/promises"; - fs nuttaruj-rolepod-wplab-7fde6b0/src/memory/MemoryStore.ts :11
} from "node:fs/promises"; - fs nuttaruj-rolepod-wplab-7fde6b0/src/profile/load.ts :1
import { readFileSync, existsSync } from "node:fs"; - fs nuttaruj-rolepod-wplab-7fde6b0/src/runtime/LocalTarget.ts :2
import { existsSync } from "node:fs"; - fs nuttaruj-rolepod-wplab-7fde6b0/src/runtime/SshTarget.ts :2
import { readFile } from "node:fs/promises"; - fs nuttaruj-rolepod-wplab-7fde6b0/src/runtime/fs.ts :8
} from "node:fs/promises"; - fs nuttaruj-rolepod-wplab-7fde6b0/src/safety/FsScope.ts :2
import { realpathSync } from "node:fs"; - fs nuttaruj-rolepod-wplab-7fde6b0/src/tools/atomic/wp_conventions.ts :2
import { readFile, writeFile, mkdir } from "node:fs/promises"; - fs nuttaruj-rolepod-wplab-7fde6b0/src/tools/atomic/wp_health_check.ts :1
import { writeFileSync } from "node:fs"; - fs nuttaruj-rolepod-wplab-7fde6b0/src/tools/companion/wp_changes_query.ts :1
import { writeFileSync } from "node:fs"; - fs nuttaruj-rolepod-wplab-7fde6b0/src/tools/composite/wp_audit_many.ts :1
import { mkdir, writeFile } from "node:fs/promises"; - fs nuttaruj-rolepod-wplab-7fde6b0/src/tools/composite/wp_audit_security.ts :1
import { mkdir, writeFile } from "node:fs/promises"; - fs nuttaruj-rolepod-wplab-7fde6b0/src/tools/composite/wp_backup.ts :1
import { mkdir, writeFile } from "node:fs/promises"; - fs nuttaruj-rolepod-wplab-7fde6b0/src/tools/composite/wp_clone.ts :1
import { mkdir, writeFile } from "node:fs/promises"; - fs nuttaruj-rolepod-wplab-7fde6b0/src/tools/composite/wp_diagnose.ts :1
import { mkdir, writeFile } from "node:fs/promises"; - fs nuttaruj-rolepod-wplab-7fde6b0/src/tools/composite/wp_migrate_data.ts :1
import { mkdir, writeFile } from "node:fs/promises"; - fs nuttaruj-rolepod-wplab-7fde6b0/src/tools/composite/wp_migrate_dryrun.ts :1
import { mkdir, writeFile } from "node:fs/promises";
shell / exec 6
- shell nuttaruj-rolepod-wplab-7fde6b0/src/companion/Bridge.ts :218
* Companion executes via PHP `exec()` against `wp-content/uploads/wplab-bin/wp-cli.phar`. - shell nuttaruj-rolepod-wplab-7fde6b0/src/lib/rolepodEvidence.ts :25
import { execSync } from "node:child_process"; - shell nuttaruj-rolepod-wplab-7fde6b0/src/runtime/SshTarget.ts :27
* exec(); file ops via SFTP. REST not implemented here (use RestTarget - shell nuttaruj-rolepod-wplab-7fde6b0/src/safety/AstScreen.ts :51
// 1. Backtick exec (against stripped — avoid backticks inside strings) - shell nuttaruj-rolepod-wplab-7fde6b0/src/tools/atomic/wp_file_write.ts :39
// is invisible and recoverable only via SSH/FTP. If the host has exec() - shell nuttaruj-rolepod-wplab-7fde6b0/src/tools/companion/wp_job_create.ts :15
"Fire-and-poll wp-cli runner. Spawns wp-cli detached on the target, returns a job_id immediately. Use for db migrations, theme switches with cache rebuild, media regeneration — anything that exceeds t
network 4
- net nuttaruj-rolepod-wplab-7fde6b0/src/runtime/restClient.ts :130
const res = await fetch(url, fetchInit); - net nuttaruj-rolepod-wplab-7fde6b0/src/tools/atomic/wp_pair.ts :52
const res = await fetch(redeemUrl, { - net nuttaruj-rolepod-wplab-7fde6b0/src/tools/composite/wp_elementor_publish.ts :180
const res = await fetch(u.toString(), { - net nuttaruj-rolepod-wplab-7fde6b0/src/tools/composite/wp_render_get.ts :69
res = await fetch(url, {
declared dependencies 13
- @modelcontextprotocol/sdk@^1.0.0
- execa@^9.0.0
- ssh2@^1.17.0
- zod@^3.23.0
- @types/dockerode@^4.0.1
- @types/node@^20.14.0
- oxlint@^0.9.0
- prettier@^3.3.0
- tsup@^8.2.0
- typescript@^5.5.0
- vitest@^2.0.0
- dockerode@^4.0.0
- node-ssh@^13.2.1