wecomcli-msg
Pass
Audited by Gen Agent Trust Hub on Apr 2, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted chat messages from WeCom, creating a surface for indirect prompt injection attacks where a sender could attempt to manipulate the agent's behavior. 1. Ingestion points: Message content is retrieved via the get_message API (documented in references/get-message.md). 2. Boundary markers: The instructions do not define specific delimiters or separators to isolate chat data from agent instructions. 3. Capability inventory: The skill can send outbound messages (send_message) and download or rename files (get_msg_media). 4. Sanitization: No sanitization or filtering of message content is mentioned before processing.
- [COMMAND_EXECUTION]: All functionality is implemented through the wecom-cli binary using shell-executed JSON arguments. This requires the agent to correctly escape potentially malicious content within messages to prevent command injection.
- [EXTERNAL_DOWNLOADS]: The get_msg_media tool downloads files from WeCom servers to the local system. The skill mitigates risk by requiring the agent to inform the user of the local file paths and asking for permission to delete these files after use.
- [DATA_EXFILTRATION]: The skill has read access to sensitive communication data and the ability to send messages. This functional setup could be exploited to exfiltrate data if the agent's logic is subverted through malicious message content.
Audit Metadata