post-to-wechat
Warn
Audited by Gen Agent Trust Hub on Mar 23, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/cdp_export.tsexecutes system-level commands using thenode:child_processmodule. It invokesspawnSyncto runosascripton macOS,xdotoolon Linux, andpowershell.exeon Windows to simulate keystrokes for clipboard operations. It also spawns browser processes (Chrome/Edge/Chromium) from paths that can be configured via environment variables or CLI arguments. - [REMOTE_CODE_EXECUTION]: The skill utilizes the Chrome DevTools Protocol (CDP) to execute arbitrary JavaScript code within the context of automated browser pages via the
Runtime.evaluatecommand. This is used to manipulate the DOM and automate UI interactions on target websites. - [EXTERNAL_DOWNLOADS]: The skill performs network operations to connect to the browser's CDP endpoint and navigates to external domains including
wechat.reshub.vipandmp.weixin.qq.com. It can also fetch content from a user-specified URL provided via the--sourceargument. - [DATA_EXFILTRATION]: The skill reads the contents of local Markdown files and transmits this data to the external web application
https://wechat.reshub.vipto perform HTML conversion. This involves sending potentially sensitive document content to a third-party service. - [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface as it ingests untrusted Markdown data from local files or remote URLs. Maliciously crafted input could attempt to subvert the agent's logic or the automation flow.
- Ingestion points: Local Markdown files, stdin, and external source URLs processed in
scripts/cdp_export.ts. - Boundary markers: Absent.
- Capability inventory: System command execution, file system access, and browser automation.
- Sanitization: Content is used directly without sanitization or escaping of potential instructions.
Audit Metadata