wechat-toolkit
Pass
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill's 'Article Rewriting' module (Module 3) processes untrusted data scraped from external sources (Sogou and WeChat). This content is interpolated into the agent's context without sanitization or strict boundary markers (such as XML tags or explicit 'ignore embedded instructions' warnings), creating a surface for Indirect Prompt Injection.
- Ingestion points: scripts/search/search_wechat.js (web scraping), scripts/downloader/download.js (article content retrieval).
- Boundary markers: Absent.
- Capability inventory: subprocess execution via execFileSync (publish.js), file system access, and network operations.
- Sanitization: Absent.
- [DATA_EXFILTRATION]: The publishing scripts (publish.js and publish_with_video.js) are designed to read sensitive API credentials (WECHAT_APP_ID and WECHAT_APP_SECRET) from the user's home directory (~/.openclaw/workspace/TOOLS.md). While intended for legitimate interaction with the WeChat API, this involves accessing sensitive configuration data outside the skill's immediate directory.
- [COMMAND_EXECUTION]: The scripts in the publisher module automatically attempt to install required software if missing. Specifically, scripts/publisher/publish.js executes 'npm install -g @wenyan-md/cli' using execFileSync, which involves system-level command execution with global impact.
- [EXTERNAL_DOWNLOADS]: The skill performs numerous external network requests to download content. scripts/downloader/download.js fetches article HTML, images, and videos from Tencent's domains (mp.weixin.qq.com, v.qq.com, qpic.cn), and scripts/search/search_wechat.js performs scraping against Sogou (weixin.sogou.com).
Audit Metadata