wecom-schedule
Pass
Audited by Gen Agent Trust Hub on Mar 23, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill processes schedule summaries and descriptions obtained from the Enterprise WeChat API. This creates a surface for indirect prompt injection, where an attacker could create a meeting with a malicious description designed to manipulate the agent's logic when it retrieves and processes those details. Finding located in references/api-get-schedule-detail.md and SKILL.md.\n
- Ingestion points: The
get_schedule_detailAPI response includes thesummaryanddescriptionof meetings, which are ingested into the agent's context during query and update workflows.\n - Boundary markers: The skill instructions do not specify any delimiters or safety warnings for the agent to ignore or isolate instructions found within schedule data.\n
- Capability inventory: The agent has the authority to create, update, and cancel schedules, as well as lookup organizational contacts using the
wecom_mcptool and thewecom-contact-lookupskill.\n - Sanitization: No validation or sanitization of the schedule content is performed before it is processed by the agent.\n- [DATA_EXFILTRATION]: The skill interacts with sensitive organizational data, including individual schedules, meeting locations, and participant lists. While this is the core intended purpose of the skill, it involves handling sensitive employee identifiers. The skill mitigates risks by requiring the use of a separate contact-lookup skill to resolve names to internal user IDs and strictly forbidding the disclosure of these IDs in the user interface.
Audit Metadata