wecom-automation
Warn
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The
install.shscript executes several high-privilege system commands usingsudo, includingapt update,apt install, and managing system services likepostgresql. It also executes build commands (make,sudo make install) to install database extensions. - [COMMAND_EXECUTION]: In
workflows/handle_message.js, the skill useschild_process.spawnto dynamically execute various Python scripts (answer_question.py,process_file.py,ocr_image.py,transcribe_voice.py) with user-provided data from WeChat messages passed as arguments. - [EXTERNAL_DOWNLOADS]: The installation script clones the
pgvectorrepository directly from GitHub (https://github.com/pgvector/pgvector.git) to compile and install it, which is an external dependency managed outside of standard package registries. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted text, files, and images from WeChat users and passes them to Large Language Models for processing.
- Ingestion points: Message text and file attachments received in
bot.jsvia theonMessageevent handler. - Boundary markers: None identified in the provided
handleTextMessagelogic to delimit untrusted input from system instructions. - Capability inventory: The skill can send outbound WeChat messages, notify external services via Telegram, and perform database read/write operations.
- Sanitization: There is no evidence of content filtering or escaping for user-provided data before it is sent to the processing scripts.
Audit Metadata