wechat-archiver

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches public WeChat articles (mp.weixin.qq.com) via the wechat2md tool and then reads/interprets the resulting article.md to decide artifact_plan and to build the user_prompt passed to note-creator (see SKILL.md Steps 1, 6–7 and tools/wechat_archiver*.py), so untrusted third-party content can directly influence tool decisions and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). At runtime the skill invokes wechat2md to fetch user-supplied WeChat article URLs (e.g., https://mp.weixin.qq.com/s/xxxxx) and then uses the fetched article.md content as the user_prompt / context passed to the note-creator, meaning remote content directly controls prompts injected into the agent.