baoyu-post-to-wechat
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (HIGH): The file
scripts/md/utils/languages.tsuses dynamicimport()to load and execute JavaScript fromhttps://cdn-doocs.oss-cn-shenzhen.aliyuncs.com. This allows for arbitrary code execution if the CDN or the transport is compromised. - [COMMAND_EXECUTION] (HIGH): The script
scripts/paste-from-clipboard.tsexecutes powerful system automation commands includingosascript(macOS),xdotool/ydotool(Linux), andpowershell.exe(Windows). These tools are used to send simulated keystrokes to the OS, which is a high-risk capability that can be abused to control the user's desktop environment. - [EXTERNAL_DOWNLOADS] (MEDIUM): In
scripts/md-to-wechat.ts, thedownloadFilefunction fetches remote images from arbitrary URLs found in Markdown files and saves them to the local filesystem (os.tmpdir()). This can be used for server-side request forgery (SSRF) or local file exhaustion. - [COMMAND_EXECUTION] (MEDIUM): Multiple scripts, including
scripts/md-to-wechat.ts, usespawnSyncto executenpx bunand other shell commands to render content, increasing the attack surface for command injection if input parameters are not properly sanitized. - [INDIRECT_PROMPT_INJECTION] (LOW): The skill processes untrusted Markdown content provided by users.
- Ingestion points: Markdown files are read in
scripts/md-to-wechat.ts. - Boundary markers: No specific boundary markers or 'ignore' instructions are present to prevent embedded commands in processed text.
- Capability inventory: File system write access, network downloads, subprocess spawning, and OS-level keystroke automation.
- Sanitization: Lacks comprehensive sanitization of URLs and frontmatter fields before processing.
Recommendations
- AI detected serious security threats
Audit Metadata