wecom-doc

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill requires reading runtime config and user-provided JSON/URLs and embedding values like mcpConfig.doc.url (and substituting botId) verbatim into mcporter commands and user-facing messages, which can expose secret-bearing URLs/tokens.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md explicitly accepts user-provided StreamableHttp URLs or JSON (under "场景 A/B") and then runs mcporter config/list/call against the configured MCP server, requiring the agent to parse tool lists and help_message returned by that (potentially arbitrary/untrusted) MCP server to determine tool names, parameters, and next actions—exposing it to untrusted third‑party content from the user-supplied URL.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly uses external MCP server URLs at runtime—either the mcpConfig.doc.url read from ~/.openclaw/wecomConfig/config.json or a user-provided StreamableHttp URL (e.g., "http://xxx")—to configure mcporter and then invoke remote MCP tools, which causes remote code/behavior to be executed and thus directly affects the agent's runtime actions.