wecom-cs-automation
Warn
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The
install.shscript executes multiple commands withsudoprivileges to install system packages (postgresql), create databases, and install thepgvectorextension. It also uses subshell commands to retrieve sensitive keys from thepasspassword manager during environment configuration.\n- [EXTERNAL_DOWNLOADS]: During the installation process, the skill clones source code from an external repository (https://github.com/pgvector/pgvector.git) to build the required vector extension. While the source is a well-known repository, automated download and compilation of external code carries security risks.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection within theworkflows/answer_question.pyscript.\n - Ingestion points: Untrusted user questions are received via the WeChat Work callback and directly interpolated into the LLM prompt in
handle_question.\n - Boundary markers: The prompt template uses simple labels (e.g., '用户问题:{query}') but lacks robust delimiters or instructions to ignore embedded commands within the user input.\n
- Capability inventory: The skill has the capability to send messages to external users via WeChat Work and trigger notifications through Telegram or Feishu webhooks.\n
- Sanitization: There is no evidence of input validation, filtering, or sanitization of the user-provided content before it is processed by the language model.
Audit Metadata