baoyu-post-to-wechat
Pass
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill uses
spawnSyncandexecSyncacross multiple scripts to execute system binaries includingosascript,powershell.exe,xdotool,ydotool, andswift. These are used to facilitate UI automation, simulate keystrokes, and manage the system clipboard for transferring rich content to the WeChat editor across different operating systems (scripts/cdp.ts,scripts/copy-to-clipboard.ts,scripts/paste-from-clipboard.ts). - [REMOTE_CODE_EXECUTION]: The skill dynamically imports code highlighting grammar modules from a remote Alibaba Cloud CDN (
cdn-doocs.oss-cn-shenzhen.aliyuncs.com) at runtime based on the languages detected in user-provided content (scripts/vendor/baoyu-md/src/utils/languages.ts). - [EXTERNAL_DOWNLOADS]: Fetches images from external URLs provided in the input Markdown or HTML content to process them for publication on the WeChat platform (
scripts/vendor/baoyu-md/src/images.ts). - [CREDENTIALS_UNSAFE]: Reads WeChat API credentials (
WECHAT_APP_ID,WECHAT_APP_SECRET) from environment variables and local.envfiles located in the project or user home directory to authenticate API requests (scripts/wechat-extend-config.ts).
Audit Metadata