wechat-channel
Warn
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [DATA_EXFILTRATION]: The Express API endpoints
/api/contactsand/api/roomsinscripts/wechat-bridge.jsdo not implement authentication checks. This allows any network-connected entity to retrieve the user's WeChat contact list and group identifiers.\n- [DATA_EXFILTRATION]: The/api/sendendpoint inscripts/wechat-bridge.jsallows sending local files from the host system to WeChat via thepathparameter. This capability could be abused to exfiltrate sensitive files if the API secret is leaked or bypassed.\n- [PROMPT_INJECTION]: The bridge facilitates indirect prompt injection by forwarding raw message text from WeChat users to the AI Agent. Because the agent has high-privilege tools likeBashandWrite, an attacker could potentially hijack the agent's logic via a WeChat message.\n - Ingestion points:
scripts/wechat-bridge.jsmessage event listener (line 104).\n - Boundary markers: Absent; the raw text is forwarded within a JSON payload to the agent without instruction-delimiters.\n
- Capability inventory: The agent has access to
Bash,Read,Write, andEdittools.\n - Sanitization: Absent; the code only trims @mentions and does not filter for malicious instruction patterns.\n- [EXTERNAL_DOWNLOADS]: The
/api/sendendpoint supports fetching content from arbitrary URLs viaFileBox.fromUrl. This can be utilized as a Server-Side Request Forgery (SSRF) vector to scan or access internal network resources.
Audit Metadata