wecom-automation

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's Wechaty message handlers (bot.js onMessage and workflows/handle_message.js / workflows/on_event.js) ingest arbitrary external user messages, attachments, images, files and URL links and pass them into Python/LLM workflows (e.g., answer_question.py, process_file.py, ocr_image.py) so untrusted, user-generated content can be read/interpreted and materially influence agent decisions and actions (replies, escalations, notifications).

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The install.sh setup clones and builds remote code from https://github.com/pgvector/pgvector.git (git clone ...; make; sudo make install) during installation, which executes fetched code on the host and is required to enable the pgvector dependency used by the skill.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.70). The skill includes explicit privileged system commands (e.g., "sudo -u postgres createdb wecom_kb"), PM2/service management and filesystem operations that modify the host state and require elevated privileges, so it poses a risk of changing the machine state.