Skills
skills/maolai7/agent-skills/wechat-watch/Gen Agent Trust Hub

wechat-watch

Fail

Audited by Gen Agent Trust Hub on Apr 2, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The README.md within the wechat-download-api service contains instructions to download a binary for the gost proxy tool from gh-proxy.com and ghproxy.cc. These mirrors are flagged by automated scanners as malicious/phishing sites.
  • [REMOTE_CODE_EXECUTION]: SKILL.md and the service documentation instruct the agent to clone an external repository (github.com/tmwgsicp/wechat-download-api) and execute its startup scripts (bash start.sh or docker-compose up -d). This involves fetching and running code from a third-party source not associated with the skill author.
  • [COMMAND_EXECUTION]: The provided start.sh script, when run with sudo, registers a systemd service (wechat-article-api.service). This modifies the system configuration and establishes persistence for the external code.
  • [CREDENTIALS_UNSAFE]: The application is designed to collect and store sensitive WeChat session cookies and tokens in a local .env file. These credentials are stored in plain text and represent a significant security risk if the environment is compromised.
Recommendations
  • AI detected serious security threats
  • Contains 3 malicious URL(s) - DO NOT USE
Audit Metadata
Risk Level
HIGH
Analyzed
Apr 2, 2026, 04:13 PM