baoyu-post-to-wechat
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- REMOTE_CODE_EXECUTION (HIGH): The script
scripts/md/utils/languages.tsdynamically imports JavaScript files from an external CDN (cdn-doocs.oss-cn-shenzhen.aliyuncs.com) usingimport(). This allows for the execution of arbitrary code from a non-trusted third-party source at runtime. - COMMAND_EXECUTION (HIGH): Multiple scripts utilize
spawnSyncto execute system commands. scripts/md-to-wechat.tsexecutesnpx -y bunwhich can download and run arbitrary packages.scripts/paste-from-clipboard.tsexecutesosascript,powershell,xdotool, andydotoolto interact with the OS UI.- INDIRECT PROMPT INJECTION (HIGH): The skill processes untrusted Markdown content with high-privilege capabilities.
- Ingestion points:
scripts/md-to-wechat.ts(Markdown file input). - Boundary markers: Absent; the content is parsed and rendered directly.
- Capability inventory: File writing (
writeFile), network downloads (http.get), command execution (spawnSync), and OS keystroke simulation. - Sanitization: None detected; untrusted input is converted to HTML and processed by OS-level tools.
- DATA_EXFILTRATION (MEDIUM):
scripts/md/extensions/plantuml.tssends diagram source code tohttps://www.plantuml.com/plantuml. An attacker could use this to exfiltrate sensitive data by embedding it within a PlantUML code block in a processed Markdown file. - EXTERNAL_DOWNLOADS (MEDIUM):
scripts/md-to-wechat.tscontains adownloadFilefunction that fetches arbitrary remote images specified in the Markdown, which could be used for SSRF or to download malicious payloads. - DYNAMIC_EXECUTION (MEDIUM):
scripts/md/extensions/infographic.tsuses dynamic imports for@antv/infographic, andscripts/md/extensions/plantuml.tsfetches remote SVG content and injects it into the DOM using.outerHTMLwithout sanitization.
Recommendations
- AI detected serious security threats
Audit Metadata