Add an error when plugins read WordPress AI Connector API keys directly

[davidperezgar]

Problem

WordPress 7.0 stores AI provider credentials for Connectors in options following this pattern:

connectors_ai_{provider}_api_key

Examples include:

connectors_ai_openai_api_key
connectors_ai_anthropic_api_key
connectors_ai_grok_api_key

Plugin Check should report an error when a plugin reads any option matching this pattern directly.

Why this check is needed

These credentials belong to the WordPress Connectors configuration. The site owner provided them to WordPress for use through the configured connector, not for arbitrary plugin code to read directly.

Reading these options directly bypasses the AI Client / Connectors abstraction and increases the risk of exposing, logging, exporting, or misusing sensitive provider credentials.

Proposed detection

Use a pattern match instead of a fixed list of provider names:

preg_match( '/^connectors_ai_[a-z0-9_]+_api_key$/i', $option_name )

Flag matching option names when used with:

get_option()
get_site_option()
get_network_option()
get_options()

Examples that should be flagged

get_option( 'connectors_ai_openai_api_key' );

get_site_option( 'connectors_ai_anthropic_api_key' );

get_network_option( null, 'connectors_ai_grok_api_key' );

get_options(
	array(
		'connectors_ai_openai_api_key',
		'connectors_ai_custom_provider_api_key',
	)
);

Suggested message

Your plugin reads WordPress AI Connector API keys directly from the options table. This is not permitted.

Options matching connectors_ai_{provider}_api_key store credentials configured by the site owner for WordPress Connectors. Plugins should not access these raw API keys directly. Please route AI requests through the WordPress AI Client instead, for example with wp_ai_client_prompt().