wechat-devtools
Pass
Audited by Gen Agent Trust Hub on Apr 30, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill interacts with the WeChat DevTools CLI (
cli.bat) to perform actions like opening projects, building, and uploading code. This involves executing system commands via a user-configured environment variableWECHAT_DEVTOOLS_CLI. - [DATA_EXFILTRATION]: The skill includes tools to read sensitive application data, including mini-program source code via
wechat_file, local storage viawechat_automator(action='storage'), and runtime page data. While these are intended for development, they represent a data exposure surface. - [REMOTE_CODE_EXECUTION]: The
wechat_automator(action='evaluate')tool allows the agent to execute arbitrary JavaScript expressions and statements within the mini-program's logic layer. This is a core feature for automation but constitutes a dynamic code execution surface. - [PROMPT_INJECTION]: The skill instructions include a directive in Step 1 of SOP A to 'ignore' transient IDE errors ('simulator not found') and continue. While contextually benign, such instructions resemble prompt injection patterns used to bypass error handling or safety filters.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it ingests untrusted external data that the agent then processes:
- Ingestion points: Mini-program source code (
wechat_file), console logs (wechat_inspector), and CDP logs from the rendering layer. - Boundary markers: None explicitly defined in the provided instructions to separate untrusted logs/code from agent instructions.
- Capability inventory: Subprocess execution (CLI), file reading, and JavaScript evaluation (
evaluate). - Sanitization: No explicit sanitization or validation of the ingested logs or source code is mentioned before the agent processes them.
Audit Metadata