wemp-operator
Fail
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: A hardcoded Weibo session cookie ('SUB') is present in the headers of the fetch_weibo function within the Python collection script.
- Evidence: File
scripts/content/fetch_news.pycontains"Cookie": "SUB=_2AkMWIuNSf8NxqwJRmP8dy2rhaoV2ygrEieKgfhKJJRMxHRl-yT9jqk86tRB6PaLNvQZR6zYUcYVT1zSjoSreQHidcUq7". - [COMMAND_EXECUTION]: The skill uses Node.js subprocess methods to execute local Python scripts and external skill scripts, which could be exploited if pathing or arguments are manipulated.
- Evidence:
scripts/content/smart-collect.mjsandscripts/content/collect-news.mjsusespawnandexecSyncto runpython3scripts. - [EXTERNAL_DOWNLOADS]: The collection module fetches data from over 20 external domains including social media and news aggregators, which is functional but increases the risk of ingesting malicious content.
- Evidence:
scripts/content/fetch_news.pytargets domains likes.weibo.com,www.zhihu.com,api.juejin.cn, andwww.toutiao.com. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it aggregates untrusted external data and interpolates it directly into instructions for the AI to generate articles.
- Ingestion points:
scripts/content/smart-collect.mjsandscripts/content/fetch_news.py(fetches news titles and content from 20+ sources). - Boundary markers: Absent. The article generation prompt in
scripts/content/generate.mjslacks delimiters to separate untrusted content from instructions. - Capability inventory:
scripts/content/publish.mjs(capability to create and publish drafts to the WeChat Official Account platform via thewempskill). - Sanitization: Absent. The external content is used directly in the prompt generation logic in
scripts/content/generate.mjs.
Recommendations
- AI detected serious security threats
Audit Metadata