wechat-search-collector
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE] (LOW): The skill instructs the agent to export sensitive credentials (
FEISHU_APP_ID,FEISHU_APP_SECRET) to environment variables. While these are not hardcoded, the workflow encourages plain-text secret handling which can lead to accidental exposure in logs or process environments. - [DATA_EXFILTRATION] (LOW): The skill exfiltrates scraped WeChat data to external Feishu Bitable endpoints. Although this is the stated purpose, the destination is not on the trusted domain list.
- [COMMAND_EXECUTION] (SAFE): The skill executes local scripts via
npx tsxand controls Android devices usingADB. These are necessary for its primary automation function and are restricted to local paths. - [PROMPT_INJECTION] (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8) because it uses
ai-visionto process screenshots of untrusted third-party content (WeChat search results). - Ingestion points: WeChat UI screenshots stored in
~/.eval/<TASK_ID>/. - Boundary markers: Absent; the vision model is given direct instructions to interpret the screenshot content.
- Capability inventory: ADB (click, swipe, text input), SQLite access, and network-based reporting.
- Sanitization: None; visual content from the target application is processed without validation.
Audit Metadata