weixin-agent-sdk
Warn
Audited by Gen Agent Trust Hub on Mar 24, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill accesses sensitive local file paths for session persistence and credential management.
- Evidence: Credentials and sessions are persisted to the
~/.openclaw/directory as stated in the 'Quick Start' and 'Troubleshooting' sections of SKILL.md. - [EXTERNAL_DOWNLOADS]: The skill requires the installation of multiple third-party packages and references an external code repository not associated with a verified organization.
- Evidence: Instructions to install
weixin-agent-sdk,weixin-acp, andsilk-wasmfrom npm. - Evidence: References the GitHub repository
github.com/wong2/weixin-agent-sdkfor installation and source code. - [COMMAND_EXECUTION]: The skill utilizes dynamic execution patterns to integrate with external agent clients.
- Evidence: Uses
npx weixin-acpto launch agent subprocesses via JSON-RPC over stdio. - [PROMPT_INJECTION]: The skill is inherently vulnerable to indirect prompt injection because it processes untrusted user input from WeChat and passes it to AI models.
- Ingestion points: Incoming messages are captured in
ChatRequest.textandChatRequest.media.filePath(SKILL.md). - Boundary markers: Absent; the provided OpenAI integration example directly interpolates user text into the message history without delimiters or warnings.
- Capability inventory: The skill can read local files (
fs.readFileSync), send network requests to AI providers (client.chat.completions.create), and execute subprocesses (npx). - Sanitization: No evidence of input validation or sanitization is provided in the implementation examples.
Audit Metadata