[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fqisrGS2rb-zFDqELig4E4PLlFptPGF6xL7JHInW9z3I":3,"$fR5LQfvmHkJtrYidXLA89X5b1pOtJd626B9aKYxB_QR4":222,"$fLsx6YnEiVIJv8DNVYeBtxR9wq6JLuOVRiujG7XrdFyw":226},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":11,"num_ratings":11,"last_updated":13,"tested_up_to":14,"requires_at_least":15,"requires_php":16,"tags":17,"homepage":18,"download_link":19,"security_score":20,"vuln_count":11,"unpatched_count":11,"last_vuln_date":21,"fetched_at":22,"discovery_status":23,"vulnerabilities":24,"developer":25,"crawl_stats":21,"alternatives":33,"analysis":34,"fingerprints":196},"miniorange-ai-agent","miniOrange AI Agent","1.1.0","miniOrange","https:\u002F\u002Fprofiles.wordpress.org\u002Fcyberlord92\u002F","\u003Cul>\n\u003Cli>\u003Cstrong>OAuth 2.0 (Authorization Code + PKCE)\u003C\u002Fstrong>: Lets AI assistants connect with user consent. Admin \u003Cspan aria-hidden=\"true\" class=\"wp-exclude-emoji\">→\u003C\u002Fspan> \u003Cstrong>AI Agent\u003C\u002Fstrong> \u003Cspan aria-hidden=\"true\" class=\"wp-exclude-emoji\">→\u003C\u002Fspan> \u003Cstrong>OAuth\u003C\u002Fstrong> for client credentials; authorization URL \u003Ccode>\u002Fmo-llm-oauth\u002Fauthorize\u003C\u002Fcode>, token endpoint \u003Ccode>POST \u002Fwp-json\u002Fmo-llm-oauth\u002Fv1\u002Ftoken\u003C\u002Fcode>.\u003C\u002Fli>\n\u003Cli>\n\u003Cp>\u003Cstrong>Support\u003C\u002Fstrong>: On the same \u003Cstrong>OAuth\u003C\u002Fstrong> screen, the support form appears on the right (email query and callback; miniOrange contact API).\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>Registers abilities: Create Post, Generate Meta Description, Get Site Info, Get Site URL, Generate Post Summary.\u003C\u002Fp>\n\u003C\u002Fli>\n\u003Cli>Connects them to the \u003Cstrong>AI Client\u003C\u002Fstrong> so the model can call tools (Phase 1).\u003C\u002Fli>\n\u003Cli>Exposes a \u003Cstrong>REST endpoint\u003C\u002Fstrong> \u003Ccode>POST \u002Fwp-json\u002Fmoaiagent\u002Fv1\u002Fchat\u003C\u002Fcode> for an AI Agent loop (Phase 2).\u003C\u002Fli>\n\u003Cli>Provides a \u003Cstrong>minimal Agent UI\u003C\u002Fstrong> (chat box) in the admin (Phase 3).\u003C\u002Fli>\n\u003Cli>Adds an \u003Cstrong>AI-powered ability\u003C\u002Fstrong>: Generate Post Summary, which uses the AI Client internally (Phase 4).\u003C\u002Fli>\n\u003Cli>Injects \u003Cstrong>context\u003C\u002Fstrong> (site name, user role, optional current post) into the prompt (Phase 5).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Security\u003C\u002Fstrong>: input validation, capability checks in execute callbacks, rate limiting, logging (Phases 6–7).\u003C\u002Fli>\n\u003Cli>Uses \u003Cstrong>generate_result()\u003C\u002Fstrong> so the SDK can handle tool execution loops for chained abilities (Phase 8).\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Registered abilities\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Create Post\u003C\u002Fstrong> (\u003Ccode>moaiagent\u002Fcreate-post\u003C\u002Fcode>) – Creates a new post. Permission: \u003Ccode>edit_posts\u003C\u002Fcode>.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Get Site URL\u003C\u002Fstrong> (\u003Ccode>moaiagent\u002Fget-site-url\u003C\u002Fcode>) – Returns the site URL. Permission: \u003Ccode>read\u003C\u002Fcode>.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Generate Post Summary\u003C\u002Fstrong> (\u003Ccode>moaiagent\u002Fgenerate-post-summary\u003C\u002Fcode>) – AI-generated summary of content. Requires AI Client. Permission: \u003Ccode>edit_posts\u003C\u002Fcode>.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>miniOrange AI Agent (requires AI Client plugin)\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>Menu\u003C\u002Fstrong>: Admin \u003Cspan aria-hidden=\"true\" class=\"wp-exclude-emoji\">→\u003C\u002Fspan> AI Agent. Chat with the assistant; it can create posts, generate meta descriptions, summarize content, and get site info.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>REST\u003C\u002Fstrong>: \u003Ccode>POST \u002Fwp-json\u002Fmoaiagent\u002Fv1\u002Fchat\u003C\u002Fcode> with body \u003Ccode>{ \"message\": \"Create a draft post titled Welcome\" }\u003C\u002Fcode>. Permission: \u003Ccode>prompt_ai\u003C\u002Fcode>. Rate limited (e.g. 30 requests per minute per user).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Execution Log\u003C\u002Fstrong>: Admin \u003Cspan aria-hidden=\"true\" class=\"wp-exclude-emoji\">→\u003C\u002Fspan> AI Agent \u003Cspan aria-hidden=\"true\" class=\"wp-exclude-emoji\">→\u003C\u002Fspan> Execution Log. Lists recent ability executions and chat requests (admins only).\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Client-side usage\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Ccode>window.moaiaAgentAbilities.getAbilities()\u003C\u002Fcode> – list AI Agent abilities\u003C\u002Fli>\n\u003Cli>\u003Ccode>window.moaiaAgentAbilities.execute('moaiagent\u002Fcreate-post', { title: 'Hello', status: 'draft' })\u003C\u002Fcode> – returns a Promise\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Abilities are also available via Command Palette, AI Client (using_abilities), and REST.\u003C\u002Fp>\n\u003Ch4>Requirements\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>WordPress 6.9+ (Abilities API).\u003C\u002Fli>\n\u003Cli>For the AI Agent (chat, Generate Post Summary): the \u003Cstrong>AI Client\u003C\u002Fstrong> plugin must be installed and configured; user needs \u003Ccode>prompt_ai\u003C\u002Fcode> capability.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>External services\u003C\u002Fh3>\n\u003Cp>This plugin integrates with the \u003Cstrong>AI Client for WordPress\u003C\u002Fstrong> plugin, which connects to external AI model APIs (such as Anthropic Claude or Google Gemini) to process chat messages and generate text content.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>What data is sent:\u003C\u002Fstrong> User chat messages, system context (site name, URL, user role, optional post title\u002FID), and conversation history are sent to the configured AI provider when the \u002Fchat REST endpoint is called.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>When it is sent:\u003C\u002Fstrong> Only when a logged-in user with the \u003Ccode>prompt_ai\u003C\u002Fcode> capability submits a message via the AI Agent chat interface or REST API.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Third-party services used (via AI Client plugin):\u003C\u002Fstrong>\u003Cbr \u002F>\n* Anthropic Claude — https:\u002F\u002Fwww.anthropic.com\u002F\u003Cbr \u002F>\n  * Terms of Service: https:\u002F\u002Fwww.anthropic.com\u002Flegal\u002Fconsumer-terms\u003Cbr \u002F>\n  * Privacy Policy: https:\u002F\u002Fwww.anthropic.com\u002Flegal\u002Fprivacy\u003Cbr \u002F>\n* Google Gemini — https:\u002F\u002Fai.google.dev\u002F\u003Cbr \u002F>\n  * Terms of Service: https:\u002F\u002Fai.google.dev\u002Fgemini-api\u002Fterms\u003Cbr \u002F>\n  * Privacy Policy: https:\u002F\u002Fpolicies.google.com\u002Fprivacy\u003C\u002Fp>\n\u003Cp>No data is sent without an active user session and explicit user action. No data is stored by this plugin beyond the execution log (stored locally in wp_options).\u003C\u002Fp>\n","WordPress 6.9 Abilities API integration: register abilities, REST \u002Fchat endpoint, AI Agent chat UI, execution logging, AI-powered tools, OAuth 2.",0,126,"2026-04-06T09:16:00.000Z","6.9.4","6.9","7.4",[],"https:\u002F\u002Fplugins.miniorange.com\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fminiorange-ai-agent.1.1.0.zip",100,null,"2026-04-16T10:56:18.058Z","no_bundle",[],{"slug":26,"display_name":7,"profile_url":8,"plugin_count":27,"total_installs":28,"avg_security_score":29,"avg_patch_time_days":30,"trust_score":31,"computed_at":32},"cyberlord92",41,83140,96,324,76,"2026-05-19T19:15:05.857Z",[],{"attackSurface":35,"codeSignals":137,"taintFlows":152,"riskAssessment":189,"analyzedAt":195},{"hooks":36,"ajaxHandlers":133,"restRoutes":134,"shortcodes":135,"cronEvents":136,"entryPointCount":11,"unprotectedCount":11},[37,43,47,51,57,61,66,70,73,77,81,85,90,94,97,101,105,109,113,117,122,125,129],{"type":38,"name":39,"callback":40,"file":41,"line":42},"action","wp_abilities_api_categories_init","register_category","includes\u002Fclass-moaiagent-abilities.php",26,{"type":38,"name":44,"callback":45,"file":41,"line":46},"wp_abilities_api_init","register_abilities",27,{"type":38,"name":48,"callback":49,"file":41,"line":50},"admin_enqueue_scripts","enqueue_admin_script",28,{"type":52,"name":53,"callback":54,"priority":55,"file":41,"line":56},"filter","wp_register_ability_args","normalize_ability_schema_properties",10,30,{"type":38,"name":58,"callback":59,"file":41,"line":60},"admin_footer","inline_abilities_demo",584,{"type":38,"name":62,"callback":63,"file":64,"line":65},"init","mo_llm_add_rewrite_rules","includes\u002Fclass-moaiagent-oauth-connector.php",39,{"type":38,"name":67,"callback":68,"file":64,"line":69},"wp_enqueue_scripts","mo_llm_enqueue_styles",40,{"type":52,"name":71,"callback":72,"file":64,"line":27},"query_vars","mo_llm_register_query_vars",{"type":38,"name":74,"callback":75,"priority":11,"file":64,"line":76},"parse_request","mo_llm_handle_discovery_endpoint",43,{"type":38,"name":78,"callback":79,"file":64,"line":80},"template_redirect","mo_llm_handle_authorize_flow",45,{"type":38,"name":82,"callback":83,"file":64,"line":84},"rest_api_init","mo_llm_register_token_endpoint",47,{"type":52,"name":86,"callback":87,"priority":88,"file":64,"line":89},"determine_current_user","mo_llm_authenticate_request",20,49,{"type":52,"name":91,"callback":92,"file":64,"line":93},"rest_authentication_errors","mo_llm_check_auth_errors",50,{"type":38,"name":82,"callback":95,"file":64,"line":96},"closure",52,{"type":52,"name":98,"callback":99,"priority":55,"file":64,"line":100},"rest_pre_dispatch","mo_llm_rest_pre_dispatch",55,{"type":52,"name":102,"callback":103,"priority":55,"file":64,"line":104},"login_redirect","mo_llm_handle_login_redirect",59,{"type":52,"name":106,"callback":107,"file":64,"line":108},"admin_email_check_interval","__return_false",61,{"type":38,"name":82,"callback":110,"file":111,"line":112},"register_routes","includes\u002Fclass-moaiagent-rest.php",23,{"type":38,"name":114,"callback":115,"file":116,"line":112},"admin_init","handle_post","includes\u002Fclass-moaiagent-support.php",{"type":38,"name":118,"callback":119,"file":120,"line":121},"admin_menu","add_menu","includes\u002Fclass-moaiagent-ui.php",21,{"type":38,"name":48,"callback":123,"priority":88,"file":120,"line":124},"enqueue_agent_assets",22,{"type":38,"name":126,"callback":127,"file":128,"line":93},"plugins_loaded","moaiagent_init","moaiagent-bot.php",{"type":38,"name":130,"callback":131,"file":128,"line":132},"admin_notices","moaiagent_abilities_api_missing_notice",64,[],[],[],[],{"dangerousFunctions":138,"sqlUsage":139,"outputEscaping":142,"fileOperations":11,"externalRequests":144,"nonceChecks":149,"capabilityChecks":150,"bundledLibraries":151},[],{"prepared":140,"raw":11,"locations":141},2,[],{"escaped":143,"rawEcho":144,"locations":145},130,1,[146],{"file":64,"line":147,"context":148},325,"raw output",3,17,[],[153,172],{"entryPoint":154,"graph":155,"unsanitizedCount":11,"severity":171},"mo_llm_handle_authorize_flow (includes\u002Fclass-moaiagent-oauth-connector.php:192)",{"nodes":156,"edges":168},[157,162],{"id":158,"type":159,"label":160,"file":64,"line":161},"n0","source","$_GET",259,{"id":163,"type":164,"label":165,"file":64,"line":166,"wp_function":167},"n1","sink","wp_redirect() [Open Redirect]",263,"wp_redirect",[169],{"from":158,"to":163,"sanitized":170},true,"low",{"entryPoint":173,"graph":174,"unsanitizedCount":11,"severity":171},"\u003Cclass-moaiagent-oauth-connector> (includes\u002Fclass-moaiagent-oauth-connector.php:0)",{"nodes":175,"edges":186},[176,177,178,181],{"id":158,"type":159,"label":160,"file":64,"line":161},{"id":163,"type":164,"label":165,"file":64,"line":166,"wp_function":167},{"id":179,"type":159,"label":160,"file":64,"line":180},"n2",211,{"id":182,"type":164,"label":183,"file":64,"line":184,"wp_function":185},"n3","echo() [XSS]",538,"echo",[187,188],{"from":158,"to":163,"sanitized":170},{"from":179,"to":182,"sanitized":170},{"summary":190,"deductions":191},"The \"miniorange-ai-agent\" v1.1.0 plugin exhibits a strong security posture based on the provided static analysis. The complete absence of direct attack surface entry points like AJAX handlers, REST API routes, and shortcodes, as well as zero unprotected entry points, is a significant strength. The code also demonstrates good practices by utilizing prepared statements for all SQL queries and a very high percentage of properly escaped output, minimizing the risk of common vulnerabilities like SQL injection and cross-site scripting. The presence of nonce and capability checks further reinforces security. \n\nHowever, a single external HTTP request represents a potential, albeit unanalyzed, vector for risk. While the taint analysis shows no unsanitized paths, the nature and handling of this external request would require deeper inspection. The plugin's clean vulnerability history with zero known CVEs is a positive indicator of past security diligence and robustness. Overall, the plugin appears to be developed with security in mind, but the single external HTTP request warrants attention for a comprehensive risk assessment.",[192],{"reason":193,"points":194},"External HTTP request present",5,"2026-04-16T14:34:03.397Z",{"wat":197,"direct":210},{"assetPaths":198,"generatorPatterns":203,"scriptPaths":204,"versionParams":205},[199,200,201,202],"\u002Fwp-content\u002Fplugins\u002Fminiorange-ai-agent\u002Fassets\u002Fcss\u002Fmoaiagent-admin.css","\u002Fwp-content\u002Fplugins\u002Fminiorange-ai-agent\u002Fassets\u002Fjs\u002Fmoaiagent-admin.js","\u002Fwp-content\u002Fplugins\u002Fminiorange-ai-agent\u002Fassets\u002Fcss\u002Fmoaiagent-ai-client.css","\u002Fwp-content\u002Fplugins\u002Fminiorange-ai-agent\u002Fassets\u002Fjs\u002Fmoaiagent-ai-client.js",[],[200,202],[206,207,208,209],"miniorange-ai-agent\u002Fassets\u002Fcss\u002Fmoaiagent-admin.css?ver=","miniorange-ai-agent\u002Fassets\u002Fjs\u002Fmoaiagent-admin.js?ver=","miniorange-ai-agent\u002Fassets\u002Fcss\u002Fmoaiagent-ai-client.css?ver=","miniorange-ai-agent\u002Fassets\u002Fjs\u002Fmoaiagent-ai-client.js?ver=",{"cssClasses":211,"htmlComments":213,"htmlAttributes":214,"restEndpoints":216,"jsGlobals":218,"shortcodeOutput":221},[212],"moaiagent-admin-settings",[],[215],"data-moaiagent-plugin-file",[217],"\u002Fwp-json\u002Fmoaiagent\u002Fv1\u002Fchat",[219,220],"MoAIAgentAdmin","MoAIAgentAIClient",[],{"error":170,"url":223,"statusCode":224,"statusMessage":225,"message":225},"http:\u002F\u002Flocalhost\u002Fapi\u002Fplugins\u002Fminiorange-ai-agent\u002Fbundle",404,"no bundle for this plugin yet",{"slug":4,"current_version":6,"total_versions":140,"versions":227},[228,234],{"version":6,"download_url":19,"svn_tag_url":229,"released_at":21,"has_diff":230,"diff_files_changed":231,"diff_lines":21,"trac_diff_url":232,"vulnerabilities":233,"is_current":170},"https:\u002F\u002Fplugins.svn.wordpress.org\u002Fminiorange-ai-agent\u002Ftags\u002F1.1.0\u002F",false,[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Fminiorange-ai-agent%2Ftags%2F1.0.0&new_path=%2Fminiorange-ai-agent%2Ftags%2F1.1.0",[],{"version":235,"download_url":236,"svn_tag_url":237,"released_at":21,"has_diff":230,"diff_files_changed":238,"diff_lines":21,"trac_diff_url":21,"vulnerabilities":239,"is_current":230},"1.0.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fminiorange-ai-agent.1.0.0.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Fminiorange-ai-agent\u002Ftags\u002F1.0.0\u002F",[],[]]