canghe-post-to-wechat

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs the agent to prompt the user for WECHAT_APP_ID and WECHAT_APP_SECRET and write them into a .env file (e.g., WECHAT_APP_SECRET=<user_input>), which requires the LLM to handle and output secret values verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill explicitly downloads and incorporates external web content as part of its runtime workflow — e.g., scripts/md-to-wechat.ts will fetch http/https image URLs referenced in markdown and scripts/md/extensions/plantuml.ts fetches SVG from a PlantUML server — and those fetched assets/html are parsed/embedded and used when composing/publishing the article, so untrusted third‑party content can influence what the agent posts.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The PlantUML extension (scripts/md/extensions/plantuml.ts) generates runtime requests to https://www.plantuml.com/plantuml and, if inlineSvg is enabled, fetches remote SVG and inserts it into the DOM unsanitized—providing a clear path for executing remote content in the rendering context.