Skills
skills/leomusk/wechat-rpa-bot-skill/wechat-rpa-bot/Gen Agent Trust Hub

wechat-rpa-bot

Warn

Audited by Gen Agent Trust Hub on May 11, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill downloads an opaque binary executable (service.exe) from a remote GitHub release URL during setup.
  • Evidence: curl -L -o service.exe https://github.com/LeoMusk/wechat-rpa-bot-skill/releases/download/v1.7.0/service.exe in SKILL.md and README.md.
  • [REMOTE_CODE_EXECUTION]: The skill automatically executes the downloaded service.exe binary to provide the RPA backend service.
  • Evidence: subprocess.Popen([service_exe, ...]) in scripts/start_server.py.
  • [COMMAND_EXECUTION]: The skill uses subprocess.run with shell=True to execute system commands like taskkill for process management.
  • Evidence:
  • subprocess.run(f"taskkill /F /T /PID {proc.info['pid']}", shell=True...) in scripts/start_server.py.
  • subprocess.run(f"taskkill /F /T /PID {pid}", shell=True...) in scripts/stop_server.py.
  • [INDIRECT_PROMPT_INJECTION]: The skill represents an attack surface for indirect prompt injection as it ingests untrusted data from WeChat messages and uses AI to generate replies that can trigger further actions.
  • Ingestion points: Real-time message polling via /api/chat/messages/{sessionName} (defined in references/openapi.json).
  • Boundary markers: None present in the provided code to distinguish between message content and instructions.
  • Capability inventory: Process management (taskkill), file system writes (.bat file generation), and network API calls to send WeChat messages/files.
  • Sanitization: Not visible in the provided frontend or script logic; likely handled by the opaque backend service.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 11, 2026, 12:16 PM