wechat-auto-reply
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill possesses a vulnerability surface for indirect prompt injection as it ingests untrusted text from WeChat chat messages to determine automated responses. Ingestion points: Reads chat history from the screen using the macOS Vision Framework (OCR) in the implementation logic. Boundary markers: Absent; the skill does not appear to use delimiters or instructions to ignore embedded commands in the recognized text. Capability inventory: The skill uses
cliclickfor keyboard/mouse control, AppleScript for UI automation, and clipboard access. Sanitization: There is no evidence of text sanitization before processing recognized chat content. - [COMMAND_EXECUTION]: The skill executes shell commands and scripts to automate user interface interactions. Evidence: Uses the
cliclickutility for mouse actions andscreencapturefor screen OCR. Evidence: Executes AppleScript (wechat-dm.applescript) to manipulate the WeChat application and manage system clipboard state. - [EXTERNAL_DOWNLOADS]: The skill fetches components from an external repository during installation. Evidence: Installation instructions involve adding a Homebrew tap (
bjdzliu/openclaw) and installing thewechat-auto-replypackage along with dependencies likepyobjcandcliclick.
Audit Metadata