BotCreds Agent Artifacts Wordpress Plugin - Rating, Reviews, Demo & Download
Plugin Description
BotCreds Agent Artifacts gives AI agents a permanent home for their outputs.
Post a single HTML file to the REST API. The plugin parses it, extracts scripts and styles, saves them as static files, enqueues them properly via WordPress APIs, and serves the result at a clean public URL with strict security headers. No build tools. No infrastructure. One API call.
How It Works
- POST raw HTML to
/wp-json/wp/v2/artifacts - The plugin extracts
<script>and<style>blocks and saves them as static files inwp-content/uploads/artifacts/{id}/ - JS and CSS are enqueued via
wp_enqueue_script()/wp_enqueue_style()— no inline scripts in rendered output - The HTML body is sanitized with
wp_kses()and an expanded allowed-tags list (canvas, SVG, inputs, video, audio, data-* attributes) - The artifact is served at
yourdomain.com/artifacts/{slug}/with a strict Content Security Policy
From the caller’s perspective: POST HTML, get URL. Everything else happens server-side.
Features
Deployment
- Single REST API call — no SDK, no library, any HTTP client works
- Update artifacts in place — POST to
/wp-json/wp/v2/artifacts/{id}and the public URL stays the same - Optional
artifact_descriptionfield for internal documentation - Head content preservation —
<meta>tags and other<head>elements from submitted HTML are preserved in output - External script support —
<script src="...">tags are registered as external dependencies and enqueued alongside local assets - Asset cache busting — enqueued files are versioned with
filemtime()so browsers fetch updates automatically - Clean redeploys — old asset files are deleted before new ones are written
Security
- Content Security Policy on every artifact page — blocks external script injection and cross-origin data exfiltration by default
- Trusted CDN list out of the box:
cdn.jsdelivr.net,unpkg.com,cdnjs.cloudflare.com,esm.sh,cdn.skypack.dev— scripts and styles load from these without any configuration - Per-artifact API allowlist — artifacts that call external APIs declare their origins via an HTML pragma comment (
<!-- artifact:fetch https://api.example.com -->) or a deploy-time meta field; the plugin adds them toconnect-srcautomatically - Additional security headers:
X-Content-Type-Options,X-Frame-Options,Referrer-Policy - Custom capability type —
artifactcapabilities are separate from standard post capabilities; only Administrators can create artifacts by default
Developer Hooks
botcreds_agent_artifacts_csp— filter the full CSP header value for any artifactbotcreds_agent_artifacts_allowed_html— filter thewp_ksesallowed-tags arraybotcreds_agent_artifacts_grant_to_role()— helper to grant capabilities to additional roles- Custom template — drop
single-artifact.phpin your active theme to replace the render template
Use Cases
OpenClaw (AI personal assistant)
OpenClaw agents can deploy interactive dashboards, daily digests, data visualizations, and mini-apps in a single tool call. Generate the HTML, POST it, get the URL — no manual steps, no context switching.
For artifacts that fetch live data, add a pragma comment to the HTML and the CSP is updated automatically:
<!-- artifact:fetch https://api.openweathermap.org -->
For recurring reports (daily digests, weekly summaries), store the artifact ID after the first deploy and update in place on subsequent runs. The URL never changes.
Claude Code (terminal-based coding agent)
Claude Code sessions can invoke a shell deploy script directly after generating output. Add a scripts/deploy-artifact.sh to your project and reference it in your CLAUDE.md — Claude will use it to ship outputs without leaving the terminal. No manual copy-paste, no browser switching.
Codex (OpenAI coding agent)
Same pattern as Claude Code. Add deployment instructions to your AGENTS.md and Codex can write HTML, call the deploy script, and report the live URL — all in one agent run.
GitHub Actions (versioned project)
For projects that build a static HTML output — dashboards, reports, documentation, changelogs — a GitHub Actions workflow can deploy to an artifact on every push to main. The artifact ID is stored as a repository variable so the public URL stays stable across all future deploys. Push build deploy done.
Example: Deploy via REST API
curl -X POST "https://your-site.com/wp-json/wp/v2/artifacts"
-u "username:application-password"
-H "Content-Type: application/json"
-d '{
"title": "My App",
"status": "publish",
"meta": {
"artifact_html": "<!DOCTYPE html><html><body><h1>Hello.</h1></body></html>",
"artifact_description": "Built by my AI agent"
}
}'
The response link field is the public URL of the deployed artifact.
Example: Artifact with Live Data
Include the fetch pragma in your HTML — no configuration needed:
<!-- artifact:fetch https://api.openweathermap.org -->
<!DOCTYPE html>
<html>
<body>
<div id="weather"></div>
<script>
fetch('https://api.openweathermap.org/data/2.5/weather?q=Denver&appid=YOUR_KEY')
.then(r => r.json())
.then(d => document.getElementById('weather').textContent = d.weather[0].description);
</script>
</body>
</html>
Example: GitHub Actions Deployment
name: Deploy Artifact
on:
push:
branches: [main]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: npm ci && npm run build
- name: Deploy to Artifact
env:
WP_SITE: ${{ secrets.ARTIFACT_WP_SITE }}
WP_USER: ${{ secrets.ARTIFACT_WP_USER }}
WP_PASS: ${{ secrets.ARTIFACT_WP_PASS }}
ARTIFACT_ID: ${{ vars.ARTIFACT_ID }}
run: |
PAYLOAD=$(jq -n --arg title "My Dashboard" --rawfile html dist/index.html
'{title: $title, status: "publish", meta: {artifact_html: $html}}')
ENDPOINT="$WP_SITE/wp-json/wp/v2/artifacts"
[ -n "$ARTIFACT_ID" ] && ENDPOINT="$ENDPOINT/$ARTIFACT_ID"
curl -sf -X POST "$ENDPOINT" -u "$WP_USER:$WP_PASS"
-H "Content-Type: application/json" -d "$PAYLOAD" | jq -r '.link'
Screenshots
No screenshots provided
