baoyu-post-to-wechat

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs the agent to prompt the user for WeChat AppID/AppSecret and write them as plaintext into .env (e.g., WECHAT_APP_ID=<user_input>), which requires the LLM to handle and embed secret values verbatim in generated outputs/commands, posing exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). This skill explicitly downloads and incorporates remote, user-provided web resources (e.g., md-to-wechat.ts's resolveImagePath/downloadFile which fetches http(s) image URLs from markdown, and the PlantUML extension's fetchSvgContent that fetches SVGs from external servers), and the agent workflow parses and uses that markdown/HTML content (titles, summaries, images) as part of publishing—exposing it to untrusted third-party content.