baoyu-post-to-wechat
Warn
Audited by Gen Agent Trust Hub on Apr 19, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: Executes system-level automation scripts and binaries. On macOS, it generates and runs temporary Swift scripts for clipboard image handling and uses AppleScript for keystroke simulation. On Windows and Linux, it uses PowerShell and tools like xdotool to automate UI actions. It also invokes the agent-browser and bun CLI tools as sub-processes.\n- [EXTERNAL_DOWNLOADS]: Fetches executable code and data from remote sources. It dynamically imports language grammar modules from an external CDN (Aliyun) and retrieves SVG content and diagrams from PlantUML and user-provided remote image URLs in content.\n- [PROMPT_INJECTION]: Provides an indirect prompt injection surface through its ingestion of untrusted Markdown and HTML files. \n
- Ingestion points: User-provided article content processed in scripts like wechat-api.ts. \n
- Boundary markers: Absent; untrusted content is not isolated from script instructions. \n
- Capability inventory: Network access (WeChat API), file system operations, and browser/UI automation. \n
- Sanitization: Limited to standard Markdown-to-HTML rendering, which does not prevent directives from influencing the agent's browser-based actions.\n- [DATA_EXFILTRATION]: Accesses and transmits sensitive configuration data. The skill reads WeChat AppID and AppSecret credentials from local .env files and environment variables, sending them to external API endpoints at api.weixin.qq.com to facilitate publishing.
Audit Metadata