The Agent Skills Directory

[DATA_EXFILTRATION]: The internal API service defined in scripts/wechat-bridge.js contains a high-risk file access primitive. The /api/send endpoint accepts a path parameter for both image and file message types. The script uses this parameter directly with FileBox.fromFile(path) to read files from the host's local filesystem and send them to a WeChat recipient. An unauthorized user who reaches this API or a compromised token would allow for the arbitrary exfiltration of sensitive files (e.g., SSH keys, configuration files, or database backups) from the environment where the bridge is running.
[PROMPT_INJECTION]: The skill implements an attack surface for indirect prompt injection by ingesting untrusted data from an external source (WeChat) and passing it to an agent with powerful capabilities.
Ingestion points: Incoming WeChat messages are received and processed in the handleMessage function within scripts/wechat-bridge.js.
Boundary markers: None. While the script removes @mentions, the core message text is forwarded to the gateway without delimiters or instructions to ignore embedded commands.
Capability inventory: The skill's metadata in SKILL.md explicitly allows the agent to use Bash, Read, Write, and Edit tools, which can be abused if the agent is tricked by malicious message content.
Sanitization: No content filtering or safety validation is performed on the incoming message text before it is sent to the OpenClaw gateway.
[COMMAND_EXECUTION]: The skill requires running a local Node.js server (scripts/wechat-bridge.js) that listens on a network port (default 3001). This increases the local attack surface, as the service handles complex data types and performs file system operations based on incoming HTTP requests.

wechat-channel