wecom-cs-automation
Warn
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The 'install.sh' script executes multiple shell commands with elevated privileges ('sudo') to install PostgreSQL, manage system services, and compile database extensions.
- [EXTERNAL_DOWNLOADS]: The 'install.sh' script clones the 'pgvector' repository from GitHub to compile and install the vector extension required for the knowledge base.
- [PROMPT_INJECTION]: The 'workflows/answer_question.py' script is vulnerable to indirect prompt injection because it constructs LLM prompts by directly interpolating untrusted user messages and retrieved context from the database without sanitization or boundary markers. • Ingestion points: 'answer_question.py' (user query from WeCom webhook) • Boundary markers: Absent • Capability inventory: Sending messages to users via WeCom API and notifications via Telegram/Feishu • Sanitization: Absent
- [DATA_EXFILTRATION]: The skill configuration in 'SKILL.md', 'workflows/escalate.py', and the 'install.sh' environment template contains a hardcoded Telegram recipient ID ('8518085684'). Unless manually updated, any customer query that triggers the escalation flow will be sent to this specific Telegram account, potentially exposing sensitive customer interactions.
Audit Metadata