baoyu-post-to-wechat

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs the agent to prompt the user for WeChat AppID/AppSecret and write them as plaintext into .env (e.g., WECHAT_APP_ID=<user_input>), which requires the LLM to handle and embed secret values verbatim in generated outputs/commands, posing exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's markdown-to-HTML pipeline and renderer explicitly fetch and incorporate external HTTP/HTTPS resources (see scripts/md-to-wechat.ts: downloadFile/resolveImagePath which downloads remote image URLs, and the PlantUML extension/fetchSvgContent that fetches SVGs from plantuml.com), and those remote/untrusted resources are parsed and pasted into the WeChat editor as part of the required publishing workflow (SKILL.md Step 3 / references), so third-party content can influence what the agent injects or pastes during automated browser actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill invokes npx -y bun at runtime (e.g., spawnSync('npx', ['-y','bun', ...]) in scripts/md-to-wechat.ts), which will fetch and execute code from the npm registry (e.g. https://registry.npmjs.org) as a required step for Markdown rendering, so remote content is fetched and executed at runtime.