Fail
Audited by Gen Agent Trust Hub on May 8, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill's installation process uses the high-risk curl piped to bash pattern to execute a remote script (install.sh) directly in the shell.
- [EXTERNAL_DOWNLOADS]: Setup logic fetches and installs compiled native binaries (e.g., wechat, wechatd, wechat-bridge) from a personal GitHub repository.
- [COMMAND_EXECUTION]: Requests and executes commands with sudo privileges to enable macOS developer mode and to ad-hoc re-sign local application bundles.
- [COMMAND_EXECUTION]: Establishes persistence on the host machine by installing a macOS LaunchAgent (ai.wechat.bridge.plist) and appending PATH updates to shell configuration files such as ~/.zshrc.
- [COMMAND_EXECUTION]: Features a real-time message listener that allows the execution of arbitrary shell scripts via the --on-message flag, using environment variables to pass untrusted message content.
- [DATA_EXFILTRATION]: Accesses sensitive private files including WeChat's encrypted SQLite database directories and the raw decryption keys stored in the user's home folder.
- [REMOTE_CODE_EXECUTION]: Ingests untrusted external data from WeChat messages and provides an automated surface for shell command execution, representing an indirect prompt injection risk.
- Ingestion points: Incoming WeChat messages processed by the listen command.
- Boundary markers: Absent for message content interpolation into shell handlers.
- Capability inventory: Arbitrary shell command execution, database read access, and network operations.
- Sanitization: No explicit content sanitization or filtering is described before data is passed to subprocesses.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/leeguooooo/wechat-skill/main/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata