wordpress-plugin-core
Build secure WordPress plugins with hooks, database interactions, Settings API, custom post types, and REST API. Covers Simple, OOP, and PSR-4 architecture patterns plus the Security Trinity. Includes WordPress 6.7-6.9 breaking changes. Use when creating plugins or troubleshooting SQL injection, XSS, CSRF, REST API vulnerabilities, wpdb::prepare errors, nonce edge cases, or WordPress 6.8+ bcrypt migration.
Install with Tessl CLI
npx tessl i github:jezweb/claude-skills --skill wordpress-plugin-core81
Does it follow best practices?
If you maintain this skill, you can automatically optimize it using the tessl CLI to improve its score:
npx tessl skill review --optimize ./path/to/skillValidation for skill structure
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that hits all the marks. It provides specific capabilities (hooks, APIs, architecture patterns), explicit trigger guidance with a 'Use when' clause, and highly distinctive WordPress-specific terminology including version numbers and security vulnerability types. The description is comprehensive yet concise.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions and concepts: 'hooks, database interactions, Settings API, custom post types, REST API', plus specific architecture patterns ('Simple, OOP, PSR-4') and security concepts ('Security Trinity'). Also mentions specific version breaking changes. | 3 / 3 |
Completeness | Clearly answers both what ('Build secure WordPress plugins with hooks, database interactions...') AND when ('Use when creating plugins or troubleshooting SQL injection, XSS, CSRF...'). The explicit 'Use when' clause provides clear trigger guidance. | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural terms users would say: 'WordPress plugins', 'SQL injection', 'XSS', 'CSRF', 'REST API vulnerabilities', 'wpdb::prepare', 'nonce', 'bcrypt migration'. These are terms developers would naturally use when seeking help. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with WordPress-specific terminology, version numbers (6.7-6.9, 6.8+), and security-focused triggers. Unlikely to conflict with generic coding or other CMS skills due to specific WordPress APIs and vulnerability types mentioned. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
64%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a highly actionable WordPress plugin development skill with excellent executable code examples and comprehensive security coverage. However, it's verbose for its scope - the 29 documented issues section, while valuable, creates a monolithic document that could benefit from splitting into separate reference files. The workflow clarity could be improved with explicit validation checkpoints for multi-step operations.
Suggestions
Move the 29 documented issues to a separate 'COMMON-ISSUES.md' reference file, keeping only the top 5-10 most critical issues inline with links to the full reference
Add explicit validation checkpoints to multi-step workflows (e.g., 'After registering CPT: verify with WP_DEBUG enabled, then flush rewrite rules, then test 404 behavior')
Condense the 'Why It Happens' explanations - Claude understands these concepts; focus on the prevention patterns and code examples
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is comprehensive but includes some verbose explanations (e.g., 'Why It Happens' sections for each issue, detailed context that Claude likely knows). The 29 documented issues section is thorough but could be more condensed with patterns grouped together. | 2 / 3 |
Actionability | Excellent executable code examples throughout - every security pattern, common issue, and architecture pattern includes copy-paste ready PHP code with clear ✅/❌ annotations showing correct vs incorrect approaches. | 3 / 3 |
Workflow Clarity | While individual tasks are clear, the skill lacks explicit validation checkpoints for multi-step processes like plugin setup. The checklist at the end is helpful but workflows for destructive operations (database changes, uninstall) don't have explicit verify-then-proceed steps. | 2 / 3 |
Progressive Disclosure | References to external files (templates, scripts, references) are mentioned but the main content is monolithic with 29 issues inline. The bundled resources section signals external files well, but the issues section could be split into a separate reference file. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
75%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 12 / 16 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
skill_md_line_count | SKILL.md is long (1090 lines); consider splitting into references/ and linking | Warning |
metadata_version | 'metadata' field is not a dictionary | Warning |
license_field | 'license' field is missing | Warning |
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 12 / 16 Passed | |
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.