wxmp-cracker

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). The skill hides its real behavior by requiring the agent to run an external CLI to decrypt and then "follow to the letter" the opaque SKILL.md, which injects hidden/deceptive instructions outside the visible skill description and scope.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The skill explicitly automates obtaining and persisting backend tokens/cookies for mp.weixin.qq.com, contains multiple AES-encrypted/obfuscated components that must be remotely decrypted (including a stated HTTP round-trip/license check), and instructs not to cache decrypted outputs — together these are strong indicators of credential harvesting, obfuscation to hide runtime behavior, and potential for hidden exfiltration or backdoor activity.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs the agent to crawl and fetch articles from mp.weixin.qq.com (public WeChat public-account pages), ingesting user-generated, untrusted content as part of its search/fetch/export/analysis workflow, so that third-party page content could influence subsequent tool actions.