wechat-to-md
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes untrusted content from external WeChat articles and provides the output to the AI agent.
- Ingestion points: Raw HTML content is fetched from external URLs in
wechat_to_md/scraper.pyand processed inwechat_to_md/parser.py. - Boundary markers: The skill does not implement boundary markers or instructions to the agent to ignore potentially malicious commands within the extracted article content.
- Capability inventory: The skill possesses file-writing capabilities in
wechat_to_md/cli.pyandwechat_to_md/mcp_server.py, and it performs network requests for image downloads inwechat_to_md/downloader.py. - Sanitization: The tool uses BeautifulSoup and markdownify to clean HTML, but it lacks specific filtering or escaping mechanisms to prevent the inclusion of instructions targeting the AI agent.
- [EXTERNAL_DOWNLOADS]: The skill's dependency, Camoufox, automatically downloads a patched Firefox browser from its GitHub repository on the first run to bypass WeChat's detection mechanisms.
- [COMMAND_EXECUTION]: The tool spawns browser processes via the Camoufox library to fetch and render article content, which is a necessary but significant capability.
Audit Metadata