Security hardening (audit): HTTPS warning, capability disclosure, permissions (v3.8.0)#9
Conversation
…re permissions (v3.8.0) Safe-additive hardening for ClawHub audit findings. No breaking changes — http:// now warns (opt-in WP_REQUIRE_HTTPS=1 to refuse), description discloses no-auth site audit, permissions declared. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 78c4d44261
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| - "WP_CONFIG (optional sites.json path), WP_ALLOWED_FILE_ROOTS (file-read scope)" | ||
| - "WP_ALLOW_REMOTE_URLS, WP_REQUIRE_HTTPS, PAGESPEED_API_KEY" | ||
| network: | ||
| - "Outbound HTTPS to the configured WordPress site(s) /wp-json/ REST API" |
There was a problem hiding this comment.
When a user supplies an http:// WordPress URL, the new warn_insecure_wp_url() path only warns by default and the scripts still send the request unless WP_REQUIRE_HTTPS=1 is set, so this permission entry underreports the skill's actual network access. This matters for the newly added least-privilege disclosure because local-dev HTTP is explicitly supported and public HTTP is still allowed with a warning; the permission should include HTTP egress or say HTTPS is recommended/enforceable rather than exclusive.
Useful? React with 👍 / 👎.
1 participant
Addresses ClawHub security-audit findings, safe-additive (no breaking changes).
Changes
http://WordPress URLs (Basic-Auth creds would be cleartext). Default = stderr warning only; setWP_REQUIRE_HTTPS=1to refuse. Localhost/dev hosts exempt → no break for local dev.descriptionnow discloses the no-auth Tier-1 site audit (PageSpeed/SSL/headers/CMS-PHP fingerprint/SEO) + authenticated plugin discovery.permissions:declaration added to SKILL.md frontmatter (env / network / filesystem / shell). No YAML validator found in CI so frontmatter was used directly..test/.localhosthosts and the local-exemption-with-WP_REQUIRE_HTTPS case).Scripts wired with
warn_insecure_wp_urlcreate_post.py,update_post.py,get_post.py,list_posts.py,upload_media.py,batch_update.py,seo_meta.py,acf_fields.py,jetengine_fields.py,detect_plugins.py,woo_products.py,elementor_content.py,seed_content.py(execute path only),wp_cli.py(dispatch point).site_audit.pyskipped (no auth).Test results
CI command:
python3 tests/test_security.py && python3 tests/test_cpt_seeding.py && python3 tests/test_site_audit.pypython3 -m compileall wordpress-api-pro/scripts): PASS (16 scripts, 0 errors)Skipped (would be breaking, deferred per scope decision): raw-meta-key allowlist gate, publish-confirmation gate on single-write scripts.
🤖 Generated with Claude Code