wecom-automation

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill ingests and processes arbitrary user-generated content from external WeChat users (e.g., text messages routed into workflows/handle_message.js which calls answer_question.py, file attachments downloaded and processed in handleFileMessage, images OCRed, and URL messages handled in bot.js), and that content is fed to LLMs and used to decide replies/escalations, so untrusted third-party content can materially influence agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The install script (install.sh) clones and builds remote code at runtime from https://github.com/pgvector/pgvector.git (git clone ...; make; sudo make install) to install the required pgvector extension, which fetches and executes external code that the skill relies on.