wechat-channel
Warn
Audited by Gen Agent Trust Hub on Apr 17, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The bridge service exposes sensitive user data through unauthenticated API endpoints. While the message-sending API is protected by a secret, the
GET /api/contactsandGET /api/roomsendpoints inscripts/wechat-bridge.jslack authentication checks, allowing unauthorized access to the user's full WeChat contact list, contact IDs, and group names. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it forwards external content from WeChat to the AI agent without proper sanitization or boundary markers.
- Ingestion points: WeChat message text is captured in
scripts/wechat-bridge.jsviamessage.text(). - Boundary markers: Absent. Messages are forwarded as raw text within a JSON payload to the OpenClaw gateway.
- Capability inventory: The service has the capability to read local files (via
FileBox.fromFile) and send them to WeChat, as well as fetch and send remote images (viaFileBox.fromUrl). - Sanitization: Only @mention strings are removed from the text; no further escaping or instruction-filtering is performed before the content reaches the agent context.
- [EXTERNAL_DOWNLOADS]: The skill utilizes the PadLocal protocol for WeChat integration. It downloads and uses the
wechaty-puppet-padlocalpackage and communicates withpad-local.comto maintain the bridge connection.
Audit Metadata