access
Pass
Audited by Gen Agent Trust Hub on Mar 22, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface through the processing of untrusted data from the WeChat channel.
- Ingestion points: Untrusted data enters the agent's context via the
~/.claude/channels/weixin/access.jsonfile, specifically thependinglist which is populated by an external channel server. - Boundary markers: The skill contains a manual instruction to only act on requests typed in the terminal, but it lacks structural boundary markers or data delimiters to prevent the LLM from misinterpreting content within the JSON state as instructions.
- Capability inventory: The skill is granted access to
Read,Write, andBash(mkdir,ls) tools. - Sanitization: There is no validation or sanitization of the
senderIdfield. The instructions explicitly state "Don't validate format," and these opaque strings are used directly to construct shell commands for directory creation (mkdir -p ~/.claude/channels/weixin/approved/<senderId>). This allows for potential path traversal or manipulation if a malicious identifier is injected into the pending list by the external server.
Audit Metadata