wechat-article-publisher
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [CREDENTIALS_UNSAFE] (HIGH): The skill directs the agent to execute 'cat .env | grep WECHAT_API_KEY'. This exposure pattern is dangerous as it brings the contents of the sensitive .env file into the agent's context, potentially leaking other credentials (e.g., AWS_SECRET_ACCESS_KEY, DATABASE_URL) stored in the same file to the session history.
- [DATA_EXFILTRATION] (MEDIUM): Local file content and API keys are transmitted to 'https://wx.limyai.com/api/openapi/'. Since this domain is not a recognized 'Trusted External Source', sending local data to it constitutes a potential data leak to an unverified third party.
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to indirect prompt injection attacks. 1. Ingestion points: The skill reads local Markdown (.md) and HTML (.html) files (e.g., ~/articles/ai-tools.md). 2. Boundary markers: There are no instructions to use delimiters or ignore embedded instructions within these files. 3. Capability inventory: The skill has the capability to perform network POST requests and execute local Python scripts via the terminal. 4. Sanitization: No sanitization or validation of the ingested content is documented. This combination allows malicious instructions embedded in a processed article to hijack the agent's workflow.
- [COMMAND_EXECUTION] (LOW): The skill relies on executing local Python scripts (wechat_api.py, parse_markdown.py) with user-supplied file paths. While functional, this requires careful handling of shell arguments to prevent local command injection if file paths or appids are maliciously crafted.
Recommendations
- AI detected serious security threats
Audit Metadata