wechat-channel
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHDATA_EXFILTRATIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- Data Exposure & Exfiltration (HIGH): The script
scripts/wechat-bridge.jsimplements aPOST /api/sendendpoint that accepts apathparameter. - Evidence: Inside the
switch (type || 'text')block, the code executesconst fileBox = FileBox.fromFile(path); await target.say(fileBox);when the type is 'image' or 'file'. - Risk: There is no validation, sanitization, or restriction on the
pathprovided. An attacker with access to this API could specify sensitive file paths (e.g.,/etc/passwd,~/.ssh/id_rsa, or the skill's own.envfile containing thePADLOCAL_TOKEN) and have the bot send those files to a WeChat recipient. - Unverifiable Dependencies (LOW): The skill requires several Node.js dependencies, including
wechaty-puppet-padlocal. - Evidence:
package.jsonlists these dependencies, andSKILL.mdinstructs the user to runnpm install. - Risk: While standard for this type of integration, it introduces a reliance on third-party code and services (pad-local.com) for core functionality.
- Indirect Prompt Injection (LOW): The skill processes untrusted user input from WeChat and forwards it to an AI gateway.
- Ingestion points: Received WeChat messages are captured in
handleMessagewithinscripts/wechat-bridge.js. - Boundary markers: None. The messages are forwarded as raw text.
- Capability inventory: The skill possesses file-reading capabilities (
FileBox) and is grantedBash,Read, andWritetools in its metadata. - Sanitization: None. Raw message content is passed directly to the
OPENCLAW_GATEWAY_URLviaaxios.post. - Network Operations (LOW): The skill transmits message data, user IDs, and metadata to a user-defined external gateway.
- Evidence: The
forwardToOpenClawfunction inscripts/wechat-bridge.jssends payloads toprocess.env.OPENCLAW_GATEWAY_URL.
Recommendations
- AI detected serious security threats
Audit Metadata