md2wechat
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [Data Exposure & Exfiltration] (HIGH): The script
scripts/wechat_publish.pyis vulnerable to arbitrary local file read. It parses image tags from a Markdown file and attempts to read the referenced files directly from the filesystem without path validation. - Evidence: In
scripts/wechat_publish.py(lines 186-190),os.path.isabs(local_path)is checked, and if it is absolute, it is used directly inopen(local_path, "rb"). An attacker could includeorin a Markdown file, causing the skill to read these files and upload them to WeChat as "images". - [Indirect Prompt Injection] (HIGH): The skill processes untrusted external data (Markdown) that influences sensitive capabilities like file reading and network uploading.
- Ingestion points:
scripts/wechat_publish.pyreads content fromargs.mdprovided by the user or an external source. - Boundary markers: None. The script processes the raw output of the Markdown parser directly.
- Capability inventory: The script has the ability to read any file accessible to the user and perform POST requests to external APIs (
api.weixin.qq.com). - Sanitization: There is no validation or sanitization of image sources (local or remote) before they are processed.
- [Data Exposure & Exfiltration] (MEDIUM): Server-Side Request Forgery (SSRF) risk in image processing.
- Evidence: The
download_urlfunction inscripts/wechat_publish.pyusesurllib.request.urlopenon any URL found in the Markdown file. This could be used to probe internal network services or access metadata services (e.g., 169.254.169.254).
Recommendations
- AI detected serious security threats
Audit Metadata