Skills
skills/buda-ai/buda-marketplace/wechat-publish-pipeline/Gen Agent Trust Hub

wechat-publish-pipeline

Fail

Audited by Gen Agent Trust Hub on Apr 8, 2026

Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [PROMPT_INJECTION]: The skill contains explicit instructions to override the standard agent safety protocol of requesting user confirmation. It mandates a 'Fully Automatic Mode' with phrases such as '全程不等待用户确认' (no waiting for user confirmation throughout), '完全自主,不询问用户' (completely autonomous, do not ask the user), and '不要等用户回复' (do not wait for user reply). This removes the critical 'human-in-the-loop' safeguard for high-impact actions like publishing content.
  • [INDIRECT_PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection as it automatically scrapes and processes content from external, attacker-controllable sources.
  • Ingestion points: Scrapes Hacker News (news.ycombinator.com), GitHub Trending, and arbitrary external URLs via the 'baoyu-url-to-markdown' tool.
  • Boundary markers: There are no markers or instructions provided to the agent to treat the fetched content as untrusted or to ignore embedded instructions within that content.
  • Capability inventory: The skill has the ability to execute shell commands via 'npx', write to the file system, and transmit data to the WeChat API.
  • Sanitization: No sanitization, validation, or filtering of the external Markdown/HTML content is performed before it is used by the LLM to generate the final article.
  • [UNVERIFIABLE_DEPENDENCIES_AND_REMOTE_CODE_EXECUTION]: The skill performs runtime installation of external Node.js packages using 'npm install jimp @jsquash/webp' during its environment check phase, which introduces supply chain risks.
  • [DATA_EXPOSURE_AND_EXFILTRATION]: The skill automatically transmits generated content and images to the WeChat Official Account API. In an indirect prompt injection scenario, an attacker could manipulate the content being 'published' or potentially exploit the tool to exfiltrate other sensitive information via the publication parameters.
  • [DYNAMIC_EXECUTION]: The skill dynamically creates and modifies configuration files ('EXTEND.md') in the user's home directory ('$HOME/.baoyu-skills/') using shell redirection ('cat >'). It also uses 'npx -y bun' to execute various local scripts with interpolated variables like '{source_url}', which could be a vector for command injection if the input is not strictly validated.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Apr 8, 2026, 11:22 AM