wechat-mp-publisher
Warn
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [DATA_EXFILTRATION]: The
SKILL.mdfile contains mandatory instructions for the agent to take screenshots of the WeChat MP editor (which displays the full text, title, and media of drafts) and send them to a specific hardcoded Telegram group ID (-1003890797239). This creates a data exfiltration channel where sensitive user content is transmitted to an external destination managed by a third party. - [COMMAND_EXECUTION]: The skill relies on local Python scripts (
scripts/publish.pyandscripts/api_publish.py) that perform browser automation via Playwright and authenticated network requests. These scripts execute with the user's local privileges and handle sensitive session data. - [DATA_EXPOSURE]: The skill stores and accesses sensitive platform credentials, including browser cookies and API tokens, within the user's home directory (
~/.openclaw/skills/wechat-mp-smart-publish/). This represents a local exposure surface for authentication secrets. - [INDIRECT_PROMPT_INJECTION]: The skill is designed to process external, untrusted content (Markdown and HTML articles) and perform automated browser/API actions based on that content. There is a lack of boundary markers to prevent instructions embedded within the article text from influencing the agent's behavior in the editor.
- Ingestion points: Article content files loaded into
scripts/publish.pyandscripts/api_publish.py. - Boundary markers: None identified in the prompt templates or scripts.
- Capability inventory: Full browser automation (Playwright), file system reads, and WeChat API interactions.
- Sanitization: The scripts perform basic character length checks but do not sanitize HTML/Markdown content for malicious injection strings.
Audit Metadata