read-gzh
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill's core function is to ingest untrusted data from external WeChat links and images. It lacks explicit boundary markers or sanitization logic. Given its capabilities—executing Python scripts and performing network operations via curl—maliciously crafted articles could hijack the agent's behavior to perform unauthorized actions or exfiltrate data. Evidence: Ingestion points in
scripts/fetch_wechat_article.py; Capabilities include subprocess execution and file system writes (curl -o /tmp/...). - Command Execution (MEDIUM): The execution flow relies on shell commands where user-provided URLs are passed as arguments (
python3 ... "<公众号链接>"). If the agent does not strictly validate these inputs, an attacker could use shell metacharacters to execute arbitrary commands. - External Downloads (LOW): The skill uses
curlto download images from arbitrary external URLs to the/tmpdirectory. While these are treated as images, this behavior facilitates interaction with potentially malicious external servers.
Recommendations
- AI detected serious security threats
Audit Metadata