wecomcli-get-todo-list
Pass
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill executes the
wecom-clicommand to fetch todo data. It uses structured JSON for parameters, which is a secure practice to prevent shell injection. - [DATA_EXPOSURE_AND_EXFILTRATION]: The skill accesses enterprise todo list information. This access is local to the user's environment via the
wecom-clibinary and is the primary intended purpose of the skill. - [INDIRECT_PROMPT_INJECTION]: The skill processes output from the
wecom-clitool. While this represents a potential surface for indirect prompt injection from malicious todo items, the skill follows best practices by requesting specific IDs and status fields rather than raw executable content.
Audit Metadata