Skills
skills/aaaaqwq/agi-super-skills/wechat-channel/Gen Agent Trust Hub

wechat-channel

Warn

Audited by Gen Agent Trust Hub on Mar 31, 2026

Risk Level: MEDIUMDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [PROMPT_INJECTION]: The skill processes untrusted input from external WeChat users and forwards it to the AI Agent gateway without sanitization or boundary delimiters, creating a surface for indirect prompt injection attacks.
  • Evidence: In scripts/wechat-bridge.js, the handleMessage function extracts text from WeChat messages and sends it to the OPENCLAW_GATEWAY_URL via the forwardToOpenClaw function.
  • [DATA_EXFILTRATION]: The bridge service exposes an API endpoint /api/send that accepts a local file path. An attacker who successfully influences the AI Agent (e.g., via indirect prompt injection) can instruct it to exfiltrate sensitive local files to a WeChat account.
  • Evidence: The POST /api/send handler in scripts/wechat-bridge.js uses FileBox.fromFile(path) to read arbitrary files from the local filesystem based on the path parameter provided in the request body.
  • [COMMAND_EXECUTION]: The skill requires the user to execute shell commands to install dependencies and run a local Node.js server with broad permissions.
  • Evidence: SKILL.md instructions include npm install and node scripts/wechat-bridge.js.
  • [EXTERNAL_DOWNLOADS]: The skill downloads several third-party Node.js packages during setup, which introduces supply chain risks.
  • Evidence: package.json lists dependencies such as wechaty, wechaty-puppet-padlocal, and axios.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 31, 2026, 06:12 AM