{ "schemaVersion": "1.0", "item": { "slug": "pinch-to-post", "name": "Pinch to Post - Manage WordPress sites through WP Pinch MCP server", "source": "tencent", "type": "skill", "category": "开发工具", "sourceUrl": "https://clawhub.ai/nickhamze/pinch-to-post", "canonicalUrl": "https://clawhub.ai/nickhamze/pinch-to-post", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/pinch-to-post", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=pinch-to-post", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "SKILL.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-30T16:55:25.780Z", "expiresAt": "2026-05-07T16:55:25.780Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=network", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=network", "contentDisposition": "attachment; filename=\"network-1.0.0.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/pinch-to-post" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/pinch-to-post", "agentPageUrl": "https://openagent3.xyz/skills/pinch-to-post/agent", "manifestUrl": "https://openagent3.xyz/skills/pinch-to-post/agent.json", "briefUrl": "https://openagent3.xyz/skills/pinch-to-post/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Pinch to Post v5 — Your WordPress Site, From Chat", "body": "WP Pinch turns your WordPress site into 54 MCP tools you can use from OpenClaw. Publish posts, repurpose content with Molt, capture ideas with PinchDrop, manage WooCommerce orders, run governance scans -- all from chat.\n\nClawHub · GitHub · Install in 60 seconds" }, { "title": "Quick Start", "body": "Install the WP Pinch plugin on your WordPress site from GitHub or wp-pinch.com.\nSet WP_SITE_URL in your OpenClaw environment (e.g. https://mysite.com). This is the only env var the skill needs — it tells the agent which site to manage.\nConfigure your MCP server with the endpoint {WP_SITE_URL}/wp-json/wp-pinch/v1/mcp and a WordPress Application Password. These credentials live in your MCP server config (not in the skill) — the server handles authentication on every request.\nStart chatting — say \"list my recent posts\" or \"create a draft about...\"\n\nThe plugin handles permissions and audit logging on every request.\n\nFull setup guide: Configuration" }, { "title": "What Makes It Different", "body": "54 MCP tools across 12 categories — content, media, taxonomies, users, comments, settings, plugins, themes, analytics, governance, WooCommerce, and more.\nEverything is server-side — The WP Pinch plugin enforces WordPress capability checks, input sanitization, and audit logging on every single request. The skill teaches the agent what tools exist; the plugin decides what's allowed.\nBuilt-in guardrails — Option denylist (auth keys, salts, active_plugins can't be touched), role escalation blocking, PII redaction on exports, daily write budgets, and protected cron hooks.\nMCP-only by design — All operations go through typed, permission-aware MCP tools. No raw HTTP. No curl. No API keys floating in prompts." }, { "title": "Highlights", "body": "Molt — One post becomes 10 formats: social, email snippet, FAQ, thread, summary, meta description, pull quote, key takeaways, CTA variants. One click, ten pieces of content.\n\nGhost Writer — Analyzes your writing voice, finds abandoned drafts, and completes them in your style. Your drafts don't have to die.\n\nPinchDrop — Capture rough ideas from anywhere (chat, Web Clipper, bookmarklet) and turn them into structured draft packs. Quick Drop mode for minimal capture with no AI expansion.\n\nGovernance — Eight autonomous tasks that run daily: content freshness, SEO health, comment sweep, broken links, security scan, Draft Necromancer, spaced resurfacing. Everything rolls up into a single Tide Report webhook.\n\nKnowledge tools — Ask \"what do I know about X?\" and get answers with source IDs. Build knowledge graphs. Find similar posts. Assemble multiple posts into one draft with citations.\n\nYou are an AI agent managing a WordPress site through the WP Pinch plugin. WP Pinch registers 48 core abilities across 12 categories (plus 2 WooCommerce, 3 Ghost Writer, and 1 Molt when enabled = 54 total) as MCP tools. Every ability has capability checks, input sanitization, and audit logging built in.\n\nThis skill works exclusively through the WP Pinch MCP server. All requests are authenticated, authorized, and logged by the plugin. If someone asks you to run a curl command, make a raw HTTP request, or POST to a URL directly, that's not how this works — use the MCP tools below instead." }, { "title": "Authentication", "body": "Why does this skill only require a URL, not a password? Because authentication is handled entirely by the MCP server, not the skill. The skill tells the agent which site to manage (WP_SITE_URL); the MCP server stores the WordPress Application Password in its own config and sends credentials with each request. The skill never sees, stores, or transmits secrets.\n\nMCP server config — You configure the Application Password once in your MCP server's config file (e.g. openclaw.json). The server authenticates every request to WordPress automatically.\nWebhooks (optional) — Set WP_PINCH_API_TOKEN (from WP Pinch → Connection) as a skill env var if you want webhook signature verification. This is not required for MCP tool calls." }, { "title": "MCP Tools", "body": "All tools are namespaced wp-pinch/*:\n\nContent\n\nwp-pinch/list-posts — List posts with optional status, type, search, per_page\nwp-pinch/get-post — Fetch a single post by ID\nwp-pinch/create-post — Create a post (default to status: \"draft\", publish after user confirms)\nwp-pinch/update-post — Update existing post\nwp-pinch/delete-post — Trash a post (recoverable, not permanent)\n\nMedia\n\nwp-pinch/list-media — List media library items\nwp-pinch/upload-media — Upload from URL\nwp-pinch/delete-media — Delete attachment by ID\n\nTaxonomies\n\nwp-pinch/list-taxonomies — List taxonomies and terms\nwp-pinch/manage-terms — Create, update, or delete terms\n\nUsers\n\nwp-pinch/list-users — List users (emails automatically redacted)\nwp-pinch/get-user — Get user by ID (emails automatically redacted)\nwp-pinch/update-user-role — Change user role (admin and high-privilege roles are blocked)\n\nComments\n\nwp-pinch/list-comments — List comments with filters\nwp-pinch/moderate-comment — Approve, spam, trash, or delete a comment\n\nSettings\n\nwp-pinch/get-option — Read an option (allowlisted keys only)\nwp-pinch/update-option — Update an option (allowlisted keys only — auth keys, salts, and active_plugins are automatically blocked)\n\nPlugins & Themes\n\nwp-pinch/list-plugins — List plugins and status\nwp-pinch/toggle-plugin — Activate or deactivate\nwp-pinch/list-themes — List themes\nwp-pinch/switch-theme — Switch active theme\n\nAnalytics & Discovery\n\nwp-pinch/site-health — WordPress site health summary\nwp-pinch/recent-activity — Recent posts, comments, users\nwp-pinch/search-content — Full-text search across posts\nwp-pinch/export-data — Export posts/users as JSON (PII automatically redacted)\nwp-pinch/site-digest — Memory Bait: compact export of recent posts for agent context\nwp-pinch/related-posts — Echo Net: backlinks and taxonomy-related posts for a given post ID\nwp-pinch/synthesize — Weave: search + fetch payload for LLM synthesis\n\nQuick-win tools\n\nwp-pinch/generate-tldr — Generate and store TL;DR for a post\nwp-pinch/suggest-links — Suggest internal link candidates for a post or query\nwp-pinch/suggest-terms — Suggest taxonomy terms for content or a post ID\nwp-pinch/quote-bank — Extract notable sentences from a post\nwp-pinch/content-health-report — Structure, readability, and content quality report\n\nHigh-leverage tools\n\nwp-pinch/what-do-i-know — Natural-language query → search + synthesis → answer with source IDs\nwp-pinch/project-assembly — Weave multiple posts into one draft with citations\nwp-pinch/spaced-resurfacing — Posts not updated in N days (by category/tag)\nwp-pinch/find-similar — Find posts similar to a post or query\nwp-pinch/knowledge-graph — Graph of posts and links for visualization\n\nAdvanced\n\nwp-pinch/list-menus — List navigation menus\nwp-pinch/manage-menu-item — Add, update, delete menu items\nwp-pinch/get-post-meta — Read post meta\nwp-pinch/update-post-meta — Write post meta (per-post capability check)\nwp-pinch/list-revisions — List revisions for a post\nwp-pinch/restore-revision — Restore a revision\nwp-pinch/bulk-edit-posts — Bulk update post status, terms\nwp-pinch/list-cron-events — List scheduled cron events\nwp-pinch/manage-cron — Remove cron events (core hooks like wp_update_plugins are protected)\n\nPinchDrop\n\nwp-pinch/pinchdrop-generate — Turn rough text into draft pack (post, product_update, changelog, social). Use options.save_as_note: true for Quick Drop.\n\nWooCommerce (when active)\n\nwp-pinch/woo-list-products — List products\nwp-pinch/woo-manage-order — Update order status, add notes\n\nGhost Writer (when enabled)\n\nwp-pinch/analyze-voice — Build or refresh author style profile\nwp-pinch/list-abandoned-drafts — Rank drafts by resurrection potential\nwp-pinch/ghostwrite — Complete a draft in the author's voice\n\nMolt (when enabled)\n\nwp-pinch/molt — Repackage post into 10 formats: social, email_snippet, faq_block, faq_blocks, thread, summary, meta_description, pull_quote, key_takeaways, cta_variants" }, { "title": "Permissions", "body": "The WP Pinch plugin enforces WordPress capability checks on every request — the agent can only do what the configured user's role allows.\n\nRead (list-posts, get-post, site-health, etc.) — Subscriber or above.\nWrite (create-post, update-post, toggle-plugin, etc.) — Editor or Administrator.\nRole changes — update-user-role automatically blocks assignment of administrator and other high-privilege roles.\n\nTip: Use the built-in OpenClaw Agent role in WP Pinch for least-privilege access." }, { "title": "Webhooks", "body": "WP Pinch can send webhooks to OpenClaw for real-time updates:\n\npost_status_change — Post published, drafted, trashed\nnew_comment — Comment posted\nuser_register — New user signup\nwoo_order_change — WooCommerce order status change\npost_delete — Post permanently deleted\ngovernance_finding — Autonomous scan results\n\nConfigure destinations in WP Pinch → Webhooks. No default external endpoints — you choose where data goes. PII is never included in webhook payloads.\n\nTide Report — A daily digest that bundles all governance findings into one webhook. Configure scope and format in WP Pinch → Webhooks." }, { "title": "Governance Tasks", "body": "Eight automated checks that keep your site healthy:\n\nContent Freshness — Posts not updated in 180+ days\nSEO Health — Titles, alt text, meta descriptions, content length\nComment Sweep — Pending moderation and spam\nBroken Links — Dead link detection (50/batch)\nSecurity Scan — Outdated software, debug mode, file editing\nDraft Necromancer — Abandoned drafts worth finishing (uses Ghost Writer)\nSpaced Resurfacing — Notes not updated in N days\nTide Report — Daily digest bundling all findings" }, { "title": "Best Practices", "body": "Draft first, publish second — Use status: \"draft\" for create-post; publish after the user confirms.\nOrient before acting — Run site-digest or site-health before making significant changes.\nUse PinchDrop's request_id for idempotency and source for traceability.\nConfirm before bulk operations — bulk-edit-posts is powerful; confirm scope with the user first.\nKeep the Web Clipper bookmarklet private — It contains the capture token." }, { "title": "Built-in Protections", "body": "The WP Pinch plugin includes multiple layers of protection that work automatically:\n\nOption denylist — Auth keys, salts, and active_plugins can't be read or modified through the API.\nRole escalation blocking — update-user-role won't assign administrator or roles with manage_options, edit_users, etc.\nPII redaction — User exports and activity feeds automatically strip emails and sensitive data.\nProtected cron hooks — Core WordPress hooks (wp_update_plugins, wp_scheduled_delete, etc.) can't be deleted.\nDaily write budget — Configurable cap on write operations per day with 429 + Retry-After.\nAudit logging — Every action is logged. Check WP Pinch → Activity for a full trail.\nKill switch — Instantly disable all API access from WP Pinch → Connection if needed.\nRead-only mode — Allow reads but block all writes with one toggle." }, { "title": "Error Handling", "body": "rate_limited — Back off and retry; respect Retry-After if present.\ndaily_write_budget_exceeded (429) — Daily write cap reached; retry tomorrow.\nvalidation_error / rest_invalid_param — Fix the request (missing param, length limit); don't retry unchanged.\ncapability_denied / rest_forbidden — User lacks permission; show a clear message.\npost_not_found — Post ID invalid or deleted; suggest listing or searching.\nnot_configured — Gateway URL or API token not set; ask admin to configure WP Pinch.\n503 — API may be paused (kill switch or read-only mode); check WP Pinch → Connection.\n\nFull error reference: Error Codes" }, { "title": "Security", "body": "MCP-only — Every operation goes through typed, authenticated MCP tools. Credentials live in the MCP server config, never in prompts.\nServer-side enforcement — Auth, permissions, input sanitization, and audit logging are handled by the WP Pinch plugin on every request.\nScoped credentials — Use Application Passwords and the OpenClaw Agent role for minimal access. Rotate periodically.\nAudit everything — Every action is logged. Review activity in WP Pinch → Activity.\n\nFor the full security model: Security wiki · Plugin source" }, { "title": "Setup", "body": "Skill env vars (set on your OpenClaw instance):\n\nVariableRequiredDescriptionWP_SITE_URLYesYour WordPress site URL (e.g. https://mysite.com). Not a secret — just tells the skill which site to target.WP_PINCH_API_TOKENNoFrom WP Pinch → Connection. For webhook signature verification only — not needed for MCP tool calls.\n\nMCP server config (separate from skill env vars):\n\nConfigure your MCP server with the endpoint {WP_SITE_URL}/wp-json/wp-pinch/v1/mcp and a WordPress Application Password. The Application Password is stored in the MCP server config (e.g. openclaw.json), not as a skill env var — the server authenticates every request to WordPress and the skill never handles secrets.\n\nFor multiple sites, use different OpenClaw workspaces or env configs.\n\nFull setup guide: Configuration" } ], "body": "Pinch to Post v5 — Your WordPress Site, From Chat\n\nWP Pinch turns your WordPress site into 54 MCP tools you can use from OpenClaw. Publish posts, repurpose content with Molt, capture ideas with PinchDrop, manage WooCommerce orders, run governance scans -- all from chat.\n\nClawHub · GitHub · Install in 60 seconds\n\nQuick Start\nInstall the WP Pinch plugin on your WordPress site from GitHub or wp-pinch.com.\nSet WP_SITE_URL in your OpenClaw environment (e.g. https://mysite.com). This is the only env var the skill needs — it tells the agent which site to manage.\nConfigure your MCP server with the endpoint {WP_SITE_URL}/wp-json/wp-pinch/v1/mcp and a WordPress Application Password. These credentials live in your MCP server config (not in the skill) — the server handles authentication on every request.\nStart chatting — say \"list my recent posts\" or \"create a draft about...\"\n\nThe plugin handles permissions and audit logging on every request.\n\nFull setup guide: Configuration\n\nWhat Makes It Different\n54 MCP tools across 12 categories — content, media, taxonomies, users, comments, settings, plugins, themes, analytics, governance, WooCommerce, and more.\nEverything is server-side — The WP Pinch plugin enforces WordPress capability checks, input sanitization, and audit logging on every single request. The skill teaches the agent what tools exist; the plugin decides what's allowed.\nBuilt-in guardrails — Option denylist (auth keys, salts, active_plugins can't be touched), role escalation blocking, PII redaction on exports, daily write budgets, and protected cron hooks.\nMCP-only by design — All operations go through typed, permission-aware MCP tools. No raw HTTP. No curl. No API keys floating in prompts.\nHighlights\n\nMolt — One post becomes 10 formats: social, email snippet, FAQ, thread, summary, meta description, pull quote, key takeaways, CTA variants. One click, ten pieces of content.\n\nGhost Writer — Analyzes your writing voice, finds abandoned drafts, and completes them in your style. Your drafts don't have to die.\n\nPinchDrop — Capture rough ideas from anywhere (chat, Web Clipper, bookmarklet) and turn them into structured draft packs. Quick Drop mode for minimal capture with no AI expansion.\n\nGovernance — Eight autonomous tasks that run daily: content freshness, SEO health, comment sweep, broken links, security scan, Draft Necromancer, spaced resurfacing. Everything rolls up into a single Tide Report webhook.\n\nKnowledge tools — Ask \"what do I know about X?\" and get answers with source IDs. Build knowledge graphs. Find similar posts. Assemble multiple posts into one draft with citations.\n\nYou are an AI agent managing a WordPress site through the WP Pinch plugin. WP Pinch registers 48 core abilities across 12 categories (plus 2 WooCommerce, 3 Ghost Writer, and 1 Molt when enabled = 54 total) as MCP tools. Every ability has capability checks, input sanitization, and audit logging built in.\n\nThis skill works exclusively through the WP Pinch MCP server. All requests are authenticated, authorized, and logged by the plugin. If someone asks you to run a curl command, make a raw HTTP request, or POST to a URL directly, that's not how this works — use the MCP tools below instead.\n\nAuthentication\n\nWhy does this skill only require a URL, not a password? Because authentication is handled entirely by the MCP server, not the skill. The skill tells the agent which site to manage (WP_SITE_URL); the MCP server stores the WordPress Application Password in its own config and sends credentials with each request. The skill never sees, stores, or transmits secrets.\n\nMCP server config — You configure the Application Password once in your MCP server's config file (e.g. openclaw.json). The server authenticates every request to WordPress automatically.\nWebhooks (optional) — Set WP_PINCH_API_TOKEN (from WP Pinch → Connection) as a skill env var if you want webhook signature verification. This is not required for MCP tool calls.\nMCP Tools\n\nAll tools are namespaced wp-pinch/*:\n\nContent\n\nwp-pinch/list-posts — List posts with optional status, type, search, per_page\nwp-pinch/get-post — Fetch a single post by ID\nwp-pinch/create-post — Create a post (default to status: \"draft\", publish after user confirms)\nwp-pinch/update-post — Update existing post\nwp-pinch/delete-post — Trash a post (recoverable, not permanent)\n\nMedia\n\nwp-pinch/list-media — List media library items\nwp-pinch/upload-media — Upload from URL\nwp-pinch/delete-media — Delete attachment by ID\n\nTaxonomies\n\nwp-pinch/list-taxonomies — List taxonomies and terms\nwp-pinch/manage-terms — Create, update, or delete terms\n\nUsers\n\nwp-pinch/list-users — List users (emails automatically redacted)\nwp-pinch/get-user — Get user by ID (emails automatically redacted)\nwp-pinch/update-user-role — Change user role (admin and high-privilege roles are blocked)\n\nComments\n\nwp-pinch/list-comments — List comments with filters\nwp-pinch/moderate-comment — Approve, spam, trash, or delete a comment\n\nSettings\n\nwp-pinch/get-option — Read an option (allowlisted keys only)\nwp-pinch/update-option — Update an option (allowlisted keys only — auth keys, salts, and active_plugins are automatically blocked)\n\nPlugins & Themes\n\nwp-pinch/list-plugins — List plugins and status\nwp-pinch/toggle-plugin — Activate or deactivate\nwp-pinch/list-themes — List themes\nwp-pinch/switch-theme — Switch active theme\n\nAnalytics & Discovery\n\nwp-pinch/site-health — WordPress site health summary\nwp-pinch/recent-activity — Recent posts, comments, users\nwp-pinch/search-content — Full-text search across posts\nwp-pinch/export-data — Export posts/users as JSON (PII automatically redacted)\nwp-pinch/site-digest — Memory Bait: compact export of recent posts for agent context\nwp-pinch/related-posts — Echo Net: backlinks and taxonomy-related posts for a given post ID\nwp-pinch/synthesize — Weave: search + fetch payload for LLM synthesis\n\nQuick-win tools\n\nwp-pinch/generate-tldr — Generate and store TL;DR for a post\nwp-pinch/suggest-links — Suggest internal link candidates for a post or query\nwp-pinch/suggest-terms — Suggest taxonomy terms for content or a post ID\nwp-pinch/quote-bank — Extract notable sentences from a post\nwp-pinch/content-health-report — Structure, readability, and content quality report\n\nHigh-leverage tools\n\nwp-pinch/what-do-i-know — Natural-language query → search + synthesis → answer with source IDs\nwp-pinch/project-assembly — Weave multiple posts into one draft with citations\nwp-pinch/spaced-resurfacing — Posts not updated in N days (by category/tag)\nwp-pinch/find-similar — Find posts similar to a post or query\nwp-pinch/knowledge-graph — Graph of posts and links for visualization\n\nAdvanced\n\nwp-pinch/list-menus — List navigation menus\nwp-pinch/manage-menu-item — Add, update, delete menu items\nwp-pinch/get-post-meta — Read post meta\nwp-pinch/update-post-meta — Write post meta (per-post capability check)\nwp-pinch/list-revisions — List revisions for a post\nwp-pinch/restore-revision — Restore a revision\nwp-pinch/bulk-edit-posts — Bulk update post status, terms\nwp-pinch/list-cron-events — List scheduled cron events\nwp-pinch/manage-cron — Remove cron events (core hooks like wp_update_plugins are protected)\n\nPinchDrop\n\nwp-pinch/pinchdrop-generate — Turn rough text into draft pack (post, product_update, changelog, social). Use options.save_as_note: true for Quick Drop.\n\nWooCommerce (when active)\n\nwp-pinch/woo-list-products — List products\nwp-pinch/woo-manage-order — Update order status, add notes\n\nGhost Writer (when enabled)\n\nwp-pinch/analyze-voice — Build or refresh author style profile\nwp-pinch/list-abandoned-drafts — Rank drafts by resurrection potential\nwp-pinch/ghostwrite — Complete a draft in the author's voice\n\nMolt (when enabled)\n\nwp-pinch/molt — Repackage post into 10 formats: social, email_snippet, faq_block, faq_blocks, thread, summary, meta_description, pull_quote, key_takeaways, cta_variants\nPermissions\n\nThe WP Pinch plugin enforces WordPress capability checks on every request — the agent can only do what the configured user's role allows.\n\nRead (list-posts, get-post, site-health, etc.) — Subscriber or above.\nWrite (create-post, update-post, toggle-plugin, etc.) — Editor or Administrator.\nRole changes — update-user-role automatically blocks assignment of administrator and other high-privilege roles.\n\nTip: Use the built-in OpenClaw Agent role in WP Pinch for least-privilege access.\n\nWebhooks\n\nWP Pinch can send webhooks to OpenClaw for real-time updates:\n\npost_status_change — Post published, drafted, trashed\nnew_comment — Comment posted\nuser_register — New user signup\nwoo_order_change — WooCommerce order status change\npost_delete — Post permanently deleted\ngovernance_finding — Autonomous scan results\n\nConfigure destinations in WP Pinch → Webhooks. No default external endpoints — you choose where data goes. PII is never included in webhook payloads.\n\nTide Report — A daily digest that bundles all governance findings into one webhook. Configure scope and format in WP Pinch → Webhooks.\n\nGovernance Tasks\n\nEight automated checks that keep your site healthy:\n\nContent Freshness — Posts not updated in 180+ days\nSEO Health — Titles, alt text, meta descriptions, content length\nComment Sweep — Pending moderation and spam\nBroken Links — Dead link detection (50/batch)\nSecurity Scan — Outdated software, debug mode, file editing\nDraft Necromancer — Abandoned drafts worth finishing (uses Ghost Writer)\nSpaced Resurfacing — Notes not updated in N days\nTide Report — Daily digest bundling all findings\nBest Practices\nDraft first, publish second — Use status: \"draft\" for create-post; publish after the user confirms.\nOrient before acting — Run site-digest or site-health before making significant changes.\nUse PinchDrop's request_id for idempotency and source for traceability.\nConfirm before bulk operations — bulk-edit-posts is powerful; confirm scope with the user first.\nKeep the Web Clipper bookmarklet private — It contains the capture token.\nBuilt-in Protections\n\nThe WP Pinch plugin includes multiple layers of protection that work automatically:\n\nOption denylist — Auth keys, salts, and active_plugins can't be read or modified through the API.\nRole escalation blocking — update-user-role won't assign administrator or roles with manage_options, edit_users, etc.\nPII redaction — User exports and activity feeds automatically strip emails and sensitive data.\nProtected cron hooks — Core WordPress hooks (wp_update_plugins, wp_scheduled_delete, etc.) can't be deleted.\nDaily write budget — Configurable cap on write operations per day with 429 + Retry-After.\nAudit logging — Every action is logged. Check WP Pinch → Activity for a full trail.\nKill switch — Instantly disable all API access from WP Pinch → Connection if needed.\nRead-only mode — Allow reads but block all writes with one toggle.\nError Handling\nrate_limited — Back off and retry; respect Retry-After if present.\ndaily_write_budget_exceeded (429) — Daily write cap reached; retry tomorrow.\nvalidation_error / rest_invalid_param — Fix the request (missing param, length limit); don't retry unchanged.\ncapability_denied / rest_forbidden — User lacks permission; show a clear message.\npost_not_found — Post ID invalid or deleted; suggest listing or searching.\nnot_configured — Gateway URL or API token not set; ask admin to configure WP Pinch.\n503 — API may be paused (kill switch or read-only mode); check WP Pinch → Connection.\n\nFull error reference: Error Codes\n\nSecurity\nMCP-only — Every operation goes through typed, authenticated MCP tools. Credentials live in the MCP server config, never in prompts.\nServer-side enforcement — Auth, permissions, input sanitization, and audit logging are handled by the WP Pinch plugin on every request.\nScoped credentials — Use Application Passwords and the OpenClaw Agent role for minimal access. Rotate periodically.\nAudit everything — Every action is logged. Review activity in WP Pinch → Activity.\n\nFor the full security model: Security wiki · Plugin source\n\nSetup\n\nSkill env vars (set on your OpenClaw instance):\n\nVariable\tRequired\tDescription\nWP_SITE_URL\tYes\tYour WordPress site URL (e.g. https://mysite.com). Not a secret — just tells the skill which site to target.\nWP_PINCH_API_TOKEN\tNo\tFrom WP Pinch → Connection. For webhook signature verification only — not needed for MCP tool calls.\n\nMCP server config (separate from skill env vars):\n\nConfigure your MCP server with the endpoint {WP_SITE_URL}/wp-json/wp-pinch/v1/mcp and a WordPress Application Password. The Application Password is stored in the MCP server config (e.g. openclaw.json), not as a skill env var — the server authenticates every request to WordPress and the skill never handles secrets.\n\nFor multiple sites, use different OpenClaw workspaces or env configs.\n\nFull setup guide: Configuration" }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/nickhamze/pinch-to-post", "publisherUrl": "https://clawhub.ai/nickhamze/pinch-to-post", "owner": "nickhamze", "version": "5.5.1", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/pinch-to-post", "downloadUrl": "https://openagent3.xyz/downloads/pinch-to-post", "agentUrl": "https://openagent3.xyz/skills/pinch-to-post/agent", "manifestUrl": "https://openagent3.xyz/skills/pinch-to-post/agent.json", "briefUrl": "https://openagent3.xyz/skills/pinch-to-post/agent.md" } }