wechat-article-writer
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is susceptible to Indirect Prompt Injection through its web-fetching capabilities.\n
- Ingestion points: The
web_fetchtool (Step 1) andexa:web_search_exa(Step 2) ingest content from arbitrary external sources.\n - Boundary markers: Absent. The instructions do not specify any delimiters to separate external content from the system prompt.\n
- Capability inventory: The skill uses
web_fetch,exa:web_search_exa, andmem0-memory-mcp. The access to a memory tool increases the risk, as an injection could attempt to read or leak stored user preferences.\n - Sanitization: No evidence of sanitization, filtering, or validation of the fetched content before it is used for planning and writing.\n- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill fetches data from arbitrary, unverified URLs.\n
- While the tools used are standard MCP components, the lack of a restricted domain list or URL validation logic allows the agent to process content from potentially malicious sources designed to exploit prompt-following behavior.
Recommendations
- AI detected serious security threats
Audit Metadata