baoyu-post-to-wechat
Warn
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill dynamically imports JavaScript code from an external CDN (cdn-doocs.oss-cn-shenzhen.aliyuncs.com) at runtime within
scripts/md/utils/languages.tsto support code syntax highlighting. - [COMMAND_EXECUTION]: Scripts such as
scripts/wechat-article.tsandscripts/paste-from-clipboard.tsexecute high-risk system commands likeosascript(macOS),powershell.exe(Windows), andxdotool(Linux) to interact with the system clipboard and simulate keyboard events. - [COMMAND_EXECUTION]: The utilities
scripts/check-permissions.tsandscripts/copy-to-clipboard.tsdynamically generate Swift source files and execute them using theswiftcompiler on macOS. - [EXTERNAL_DOWNLOADS]:
scripts/md-to-wechat.tsandscripts/wechat-api.tsperform network operations to download image content from arbitrary remote URLs provided in user-supplied markdown files. - [CREDENTIALS_UNSAFE]: The documentation and setup guides in
SKILL.mdandscripts/wechat-api.tsinstruct users to store sensitive WeChat App Secrets in local.envfiles, which poses a risk of accidental exposure. - [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface. 1. Ingestion points: User-provided markdown and HTML files processed by
scripts/md-to-wechat.ts. 2. Boundary markers: Absent. 3. Capability inventory: Browser automation via CDP and execution of system commands (osascript,powershell). 4. Sanitization: Absent. Maliciously crafted input could potentially manipulate browser automation flows or system interactions.
Audit Metadata