javiercasares/wp-abilities-api
.codex/skills/wp-abilities-api/SKILL.md
Use when working with the WordPress Abilities API (wp_register_ability, wp_register_ability_category, /wp-json/wp-abilities/v1/*, @wordpress/abilities) including defining abilities, categories, meta, REST exposure, and permissions checks for clients.
$ install --global
skillsauthnpx skillsauth add javiercasares/wpvulnerability wp-abilities-apiInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 5, 2026, 10:34 PM35.1s3 files scanned
SKILL.md
- name:
- wp-abilities-api
- description:
- Use when working with the WordPress Abilities API (wp_register_ability, wp_register_ability_category, /wp-json/wp-abilities/v1/*, @wordpress/abilities) including defining abilities, categories, meta, REST exposure, and permissions checks for clients.
- compatibility:
- Targets WordPress 6.9+ (PHP 7.2.24+). Filesystem-based agent with bash + node. Some workflows require WP-CLI.
WP Abilities API
When to use
Use this skill when the task involves:
- registering abilities or ability categories in PHP,
- exposing abilities to clients via REST (
wp-abilities/v1), - consuming abilities in JS (notably
@wordpress/abilities), - diagnosing “ability doesn’t show up” / “client can’t see ability” / “REST returns empty”.
Inputs required
- Repo root (run
wp-project-triagefirst if you haven’t). - Target WordPress version(s) and whether this is WP core or a plugin/theme.
- Where the change should live (plugin vs theme vs mu-plugin).
Procedure
1) Confirm availability and version constraints
- If this is WP core work, check
signals.isWpCoreCheckoutandversions.wordpress.core. - If the project targets WP < 6.9, you may need the Abilities API plugin/package rather than relying on core.
2) Find existing Abilities usage
Search for these in the repo:
wp_register_ability(wp_register_ability_category(wp_abilities_api_initwp_abilities_api_categories_initwp-abilities/v1@wordpress/abilities
If none exist, decide whether you’re introducing Abilities API fresh (new registrations + client consumption) or only consuming.
3) Register categories (optional)
If you need a logical grouping, register an ability category early (see references/php-registration.md).
4) Register abilities (PHP)
Implement the ability in PHP registration with:
- stable
id(namespaced), label/description,category,meta:- add
readonly: truewhen the ability is informational, - set
show_in_rest: truefor abilities you want visible to clients.
- add
Use the documented init hooks for Abilities API registration so they load at the right time (see references/php-registration.md).
5) Confirm REST exposure
- Verify the REST endpoints exist and return expected results (see
references/rest-api.md). - If the client still can’t see the ability, confirm
meta.show_in_restis enabled and you’re querying the right endpoint.
6) Consume from JS (if needed)
- Prefer
@wordpress/abilitiesAPIs for client-side access and checks. - Ensure build tooling includes the dependency and the project’s build pipeline bundles it.
Verification
wp-project-triageindicatessignals.usesAbilitiesApi: trueafter your change (if applicable).- REST check (in a WP environment): endpoints under
wp-abilities/v1return your ability and category when expected. - If the repo has tests, add/update coverage near:
- PHP: ability registration and meta exposure
- JS: ability consumption and UI gating
Failure modes / debugging
- Ability never appears:
- registration code not running (wrong hook / file not loaded),
- missing
meta.show_in_rest, - incorrect category/ID mismatch.
- REST shows ability but JS doesn’t:
- wrong REST base/namespace,
- JS dependency not bundled,
- caching (object/page caches) masking changes.
Escalation
- If you’re uncertain about version support, confirm target WP core versions and whether Abilities API is expected from core or as a plugin.
- For canonical details, consult:
references/rest-api.mdreferences/php-registration.md
Related Skills
javiercasares/wp-wpcli-and-ops
tools
VerifiedTrustedCommunity
Use when working with WP-CLI (wp) for WordPress operations: safe search-replace, db export/import, plugin/theme/user/content management, cron, cache flushing, multisite, and scripting/automation with wp-cli.yml.
40SKILL.mdUpdated Apr 5, 2026
javiercasares/wp-project-triage
tools
VerifiedTrustedCommunity
Use when you need a deterministic inspection of a WordPress repository (plugin/theme/block theme/WP core/Gutenberg/full site) including tooling/tests/version hints, and a structured JSON report to guide workflows and guardrails.
40SKILL.mdUpdated Apr 5, 2026
javiercasares/wp-plugin-development
tools
VerifiedTrustedCommunity
Use when developing WordPress plugins: architecture and hooks, activation/deactivation/uninstall, admin UI and Settings API, data storage, cron/tasks, security (nonces/capabilities/sanitization/escaping), and release packaging.
40SKILL.mdUpdated Apr 5, 2026
javiercasares/wp-playground
tools
VerifiedTrustedCommunity
Use for WordPress Playground workflows: fast disposable WP instances in the browser or locally via @wp-playground/cli (server, run-blueprint, build-snapshot), auto-mounting plugins/themes, switching WP/PHP versions, blueprints, and debugging (Xdebug).
40SKILL.mdUpdated Apr 5, 2026