registry  /  wp-studio  /  1.13.0

wp-studio@1.13.0

WordPress Studio CLI

AI Security Review

scanned 11d ago · by lpm-firewall-ai

No confirmed malicious attack surface established. The package is a WordPress Studio CLI that manages local sites, optional AI agent workflows, MCP tools, updates, telemetry, and WordPress.com sync through user-invoked commands.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `studio` commands such as `studio create`, `studio start`, `studio code`, or `studio mcp`.
Impact
Expected local site file/config changes and package-aligned network calls; no evidence of hidden install-time execution, credential theft, persistence, or destructive behavior.
Mechanism
user-invoked WordPress site management and AI/MCP tooling
Rationale
Static inspection found risky primitives, AI-agent tooling, MCP server support, and managed instruction-file writes, but they are package-aligned and user-invoked rather than hidden lifecycle behavior. No source evidence supports malware, credential exfiltration, dependency confusion, persistence, or unconsented AI-agent control-surface mutation.
Evidence
package.jsondist/cli/main.mjsdist/cli/tos-notice-DYaFPFHN.mjsdist/cli/migrations-CPVgEMkn.mjsdist/cli/ai-EeLijBIp.mjsdist/cli/create-Clni08rR.mjsdist/cli/wp-files/skills/AGENTS.mddist/cli/wp-files/skills/CLAUDE.mddist/cli/wp-files/skills/STUDIO.md
Network endpoints6
public-api.wordpress.comapi.wordpress.orgregistry.npmjs.org/wp-studio/latestdeveloper.wordpress.comwordpress.studioapi.anthropic.com

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/cli/main.mjs registers user-invoked `studio code`/`ai` agent and `studio mcp` commands with tool access.
  • dist/cli/create-Clni08rR.mjs copies AGENTS.md/CLAUDE.md/STUDIO.md into managed site roots and selected skills into .agents/.claude paths during site creation.
  • dist/cli/tos-notice-DYaFPFHN.mjs can auto-install Playwright Chromium when MCP browser tools are invoked.
Evidence against
  • package.json has no install/postinstall hook; only prepublishOnly build script.
  • dist/cli/main.mjs exposes bin `studio` and command handlers; no import-time credential harvesting or exfiltration found.
  • AI/MCP capabilities are explicit product features for WordPress Studio and activated by user commands, not unconsented lifecycle mutation.
  • Network endpoints are WordPress/Automattic/npm/Anthropic/OpenAI-aligned update, telemetry, auth, AI proxy, preview, and WordPress API endpoints.
  • Scanner eval hit is browser injection of bundled inspector script for annotation tool; dynamic import/require are bundler/runtime patterns.
  • Bundled large WordPress/phpMyAdmin/font assets match a local WordPress development CLI distribution.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
Manifest
CopyleftLicense
scanned 894 file(s), 38.0 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.wordpress.org, appscdn.wordpress.com, assets-cdn.github.com, automattic.com, base-ui.com, bit.ly, bugs.jquery.com, cdn.dashjs.org, cdn.jsdelivr.net, davidwalsh.name, dev.ean.com, dev.mysql.com, developer.mozilla.org, developer.wordpress.com, developer.wordpress.org, docs.jquery.com, dom.spec.whatwg.org, domain.com, ecma-international.org, eev.ee, en.wikipedia.org, example.com, fb.me, get.adobe.com, github.com, gitlab.com, gravatar.com, img.youtube.com, jquery.org, jqueryvalidation.org, json-schema.org, lodash.com, mathiasbynens.be, mercantile.wordpress.org, momentjs.com, nodejs.org, npms.io, openlayers.org, player.vimeo.com, popper.js.org, public-api.wordpress.com, radix-ui.com, raw.githubusercontent.com, reactjs.org, redux.js.org, registry.npmjs.org, rolldown.rs, s.w.org
Oversized source lightweight scan
dist/cli/admin-credentials-BKzYydhQ.mjs3.06 MB file, sampled 256 KB
FilesystemHighEntropyStringsUrlStringsappscdn.wordpress.comgithub.comnodejs.orgwordpress.com
dist/cli/wp-files/latest/wordpress/wp-includes/js/dist/block-editor.js2.70 MB file, sampled 256 KB
FilesystemChildProcessObfuscatedHighEntropyStringsUrlStringsfb.me
dist/cli/wp-files/latest/wordpress/wp-includes/js/dist/block-library.js2.57 MB file, sampled 256 KB
ChildProcessHighEntropyStringsUrlStringsdom.spec.whatwg.orggithub.comschemas.wp.orgupload.wikimedia.orgwww.w3.org
dist/cli/wp-files/latest/wordpress/wp-includes/js/dist/components.js3.83 MB file, sampled 256 KB
ChildProcessHighEntropyStringsUrlStringswww.w3.org
dist/cli/wp-files/latest/wordpress/wp-includes/js/dist/editor.js2.50 MB file, sampled 256 KB
ChildProcessHighEntropyStringsUrlStringsfb.mes.w.orgwordpress.orgwww.w3.org

Source & flagged code

11 flagged · loading source
dist/cli/wp-files/latest/wordpress/wp-admin/js/auth-app.jsView file
84patternName = generic_password severity = medium line = 84 matchedText = '&passwo...d );
Medium
Secret Pattern

Package contains a possible secret pattern.

dist/cli/wp-files/latest/wordpress/wp-admin/js/auth-app.jsView on unpkg · L84
dist/cli/tos-notice-DYaFPFHN.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = wp-studio@1.12.0 matchedIdentity = npm:d3Atc3R1ZGlv:1.12.0 similarity = 0.933 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli/tos-notice-DYaFPFHN.mjsView on unpkg
38import { z } from "zod"; L39: import { execFile } from "child_process"; L40: import os from "os";
High
Child Process

Package source references child process execution.

dist/cli/tos-notice-DYaFPFHN.mjsView on unpkg · L38
38Cross-file remote execution chain: dist/cli/tos-notice-DYaFPFHN.mjs spawns dist/cli/wp-files/latest/wordpress/wp-[redacted].js; helper contains network access plus dynamic code execution. L38: import { z } from "zod"; L39: import { execFile } from "child_process"; L40: import os from "os"; ... L246: /** L247: * Parse JSON from WP-CLI stdout, handling PHP warnings/deprecation notices. L248: * L249: * Tries JSON.parse first for the common clean-output case. If that fails, L250: * falls back to extracting JSON from the first '{' or '[' in the output. ... L656: const ipcEvent = { event: eventTuple }; L657: process.send(ipcEvent); L658: } ... L827: if (argv.exportFile) exportFile = argv.exportFile;
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/cli/tos-notice-DYaFPFHN.mjsView on unpkg · L38
1import { createRequire as __studioCreateRequire } from "node:module"; L2: __studioCreateRequire(import.meta.url); L3: import { C as Logger, D as setProgressCallback, E as getProgressCallback, N as __toESM, O as __commonJSMin, T as emitProgress, _ as SITE_EVENTS, a as saveCliConfig, c as updateCliC...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/cli/tos-notice-DYaFPFHN.mjsView on unpkg · L1
6973if (!document.getElementById("__studio-inspector-host")) delete w.__studioInspectorMounted; L6974: new Function(script)(); L6975: }, INSPECTOR_PAGE_SCRIPT);
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/cli/tos-notice-DYaFPFHN.mjsView on unpkg · L6973
dist/cli/migrations-CPVgEMkn.mjsView file
34return new Promise((resolve, reject) => { L35: execFile("powershell.exe", [ L36: "-NoProfile",
High
Shell

Package source references shell execution.

dist/cli/migrations-CPVgEMkn.mjsView on unpkg · L34
dist/cli/wp-files/phpmyadmin/vendor/tecnickcom/tcpdf/fonts/dejavusansb.zView file
path = dist/cli/wp-[redacted].z kind = high_entropy_blob sizeBytes = 347269 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/cli/wp-files/phpmyadmin/vendor/tecnickcom/tcpdf/fonts/dejavusansb.zView on unpkg
dist/cli/wp-files/latest/wordpress/wp-includes/js/dist/editor.jsView file
path = dist/cli/wp-files/latest/wordpress/wp-includes/js/dist/editor.js kind = oversized_source_file sizeBytes = 2616628 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/cli/wp-files/latest/wordpress/wp-includes/js/dist/editor.jsView on unpkg
dist/cli/wp-files/phpmyadmin/js/vendor/zxcvbn-ts.jsView file
1917patternName = generic_password severity = medium line = 1917 matchedText = // risky...ble"
Medium
Secret Pattern

Hardcoded password in dist/cli/wp-files/phpmyadmin/js/vendor/zxcvbn-ts.js

dist/cli/wp-files/phpmyadmin/js/vendor/zxcvbn-ts.jsView on unpkg · L1917
dist/cli/wp-files/latest/wordpress/wp-admin/js/auth-app.min.jsView file
2patternName = generic_password severity = medium line = 2 matchedText = !functio...pp);
Medium
Secret Pattern

Hardcoded password in dist/cli/wp-files/latest/wordpress/wp-admin/js/auth-app.min.js

dist/cli/wp-files/latest/wordpress/wp-admin/js/auth-app.min.jsView on unpkg · L2

Findings

1 Critical5 High7 Medium9 Low
CriticalPrevious Version Dangerous Deltadist/cli/tos-notice-DYaFPFHN.mjs
HighChild Processdist/cli/tos-notice-DYaFPFHN.mjs
HighShelldist/cli/migrations-CPVgEMkn.mjs
HighCross File Remote Execution Contextdist/cli/tos-notice-DYaFPFHN.mjs
HighShips High Entropy Blobdist/cli/wp-files/phpmyadmin/vendor/tecnickcom/tcpdf/fonts/dejavusansb.z
HighOversized Source Filedist/cli/wp-files/latest/wordpress/wp-includes/js/dist/editor.js
MediumSecret Patterndist/cli/wp-files/latest/wordpress/wp-admin/js/auth-app.js
MediumDynamic Requiredist/cli/tos-notice-DYaFPFHN.mjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patterndist/cli/wp-files/phpmyadmin/js/vendor/zxcvbn-ts.js
MediumSecret Patterndist/cli/wp-files/latest/wordpress/wp-admin/js/auth-app.min.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/cli/tos-notice-DYaFPFHN.mjs
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowCopyleft License