wxauto
Fail
Audited by Gen Agent Trust Hub on Mar 27, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [UNVERIFIABLE_DEPENDENCIES_AND_REMOTE_CODE_EXECUTION]: The skill requires the installation of the
wxautox4package and instructs the agent to clone an external code repository fromhttps://github.com/cluic/wxauto-restful-apito function. - [DYNAMIC_EXECUTION]: The script
scripts/wxapi.pyusessubprocess.Popento automatically launch the WeChat API service (run.py) from a dynamically determined directory if the service is not currently running. - [COMMAND_EXECUTION]: The skill executes shell commands via
subprocess.Popento start and manage the background API service, utilizing flags to detach the process on Windows and create new sessions on Linux. - [DATA_EXPOSURE_AND_EXFILTRATION]: The skill accesses local configuration files including
~/.wxautox/service_status.jsonandconfig.yamlto retrieve authentication tokens and connection parameters. - [INDIRECT_PROMPT_INJECTION]: The skill retrieves and displays WeChat messages from external contacts, creating an attack surface where malicious instructions embedded in messages could influence agent behavior.
- Ingestion points: Message retrieval logic in
cmd_getmsg,cmd_getmsg_chat,cmd_history, andcmd_newmsginscripts/wxapi.py. - Boundary markers: Absent; message content is output to the agent context without delimiters or safety warnings.
- Capability inventory: The skill possesses the capability to execute shell commands and launch subprocesses.
- Sanitization: No sanitization or verification of the ingested message content is performed.
Recommendations
- HIGH: Downloads and executes remote code from: unknown (check file) - DO NOT USE without thorough review
Audit Metadata