baoyu-wechat-summary

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The skill instructs the agent to read local WeChat messages and preserve/quote message content and profile excerpts verbatim into digests and profile files (with no redaction rules), so any secrets (passwords, API keys, tokens) present in messages would be included in the LLM's output, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly fetches and ingests user-generated WeChat group messages via wx-cli (see SKILL.md steps using wx history "<group>" --since ... --json and related sections) and then reads and interprets those messages to build topics, decide anchors, generate digests, and update profiles, so untrusted third‑party content can materially influence agent behavior.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill explicitly instructs the agent to disable the runtime sandbox (dangerouslyDisableSandbox: true) and includes guidance involving sudo (chown, wx init with sudo) and writing/modifying local config and profile files, which directs bypassing security controls and modifying machine state.