Skills
skills/hansonyyds/md2wechat-skill/md2wechat/Gen Agent Trust Hub

md2wechat

Fail

Audited by Gen Agent Trust Hub on Feb 18, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
  • EXTERNAL_DOWNLOADS (HIGH): The file scripts/run.sh is designed to download binary executables from https://github.com/hansonyyds/md2wechat-skill/releases. This source is not part of the 'Trusted External Sources' list.
  • REMOTE_CODE_EXECUTION (HIGH): After downloading the binary, the script uses chmod +x to make it executable and then uses exec to run it with arbitrary arguments. Since the binary is hosted on an untrusted repository, its behavior cannot be audited or verified, representing a high-risk remote code execution vector.
  • COMMAND_EXECUTION (MEDIUM): The script acts as a wrapper that passes user-provided arguments directly to an opaque binary. If used by an agent, this could lead to unintended command execution depending on the binary's internal logic.
  • DATA_EXPOSURE & EXFILTRATION (LOW): While no hardcoded secrets were found, the documentation in references/image-syntax.md indicates the use of sensitive environment variables like IMAGE_API_KEY. The binary has the potential to access these variables and exfiltrate them via network calls (which it already performs for image generation and WeChat uploads).
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 18, 2026, 03:20 PM