macos-agent-development

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). This skill implements targeted UI surveillance and remote-control capabilities for WeChat via the Accessibility API (extracting and emitting message content and accepting stdin commands to inject text), which enables data exfiltration and impersonation and thus presents a high risk of deliberate abuse as a backdoor/spy agent.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's WeChatMonitor (WeChatMonitor.swift) explicitly reads user-generated chat text from the WeChat app via the Accessibility API (extractMessages/extractMessagesFromWindow) and forwards it to an orchestrator with MessageSender, so untrusted third‑party content from WeChat is ingested and can influence subsequent actions.