Skills
skills/erafat/skills/baoyu-post-to-wechat/Gen Agent Trust Hub

baoyu-post-to-wechat

Warn

Audited by Gen Agent Trust Hub on Apr 26, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The file scripts/md/utils/languages.ts dynamically imports and executes JavaScript from https://cdn-doocs.oss-cn-shenzhen.aliyuncs.com using the import() function to load syntax highlighting definitions at runtime.
  • [EXTERNAL_DOWNLOADS]: scripts/md-to-wechat.ts implements a downloadFile function that uses the Node.js http and https modules to fetch images from arbitrary remote URLs defined in Markdown documents.
  • [COMMAND_EXECUTION]: Multiple scripts, including scripts/copy-to-clipboard.ts and scripts/paste-from-clipboard.ts, execute platform-specific system utilities such as osascript, powershell.exe, xclip, xdotool, and swift to manipulate the system clipboard and simulate keystrokes (Command+V/Ctrl+V).
  • [COMMAND_EXECUTION]: The automation engine in scripts/cdp.ts and scripts/wechat-browser.ts spawns the Chrome browser with debugging flags (--remote-debugging-port) and uses the Chrome DevTools Protocol to programmatically control browser behavior.
  • [REMOTE_CODE_EXECUTION]: The skill uses the Runtime.evaluate command within the Chrome DevTools Protocol to execute arbitrary JavaScript in the context of the target web pages for automation purposes.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 26, 2026, 09:05 AM