wecom-automation

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill directly ingests untrusted, user-generated content from WeChat contacts (text, attachments, images, voice, and URL messages) as shown in bot.js (onMessage/handleUrlMessage) and workflows/handle_message.js (which passes message text/files to answer_question.py, OCR, and transcription) and uses those inputs to generate LLM replies and escalation decisions, so third-party content can materially influence actions and enable indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The install script (install.sh) clones and builds remote code during setup — e.g. git clone --branch v0.5.1 https://github.com/pgvector/pgvector.git followed by make && sudo make install — which fetches and executes external code that the skill relies on for the pgvector extension.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.70). The skill includes explicit privileged system commands (e.g., "sudo -u postgres createdb wecom_kb"), PM2/service management and filesystem operations that modify the host state and require elevated privileges, so it poses a risk of changing the machine state.