ai-wechat-hotspot-writer
Pass
Audited by Gen Agent Trust Hub on Apr 24, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it fetches and processes content from external news sources, social media (X, Weibo, etc.), and product platforms (Product Hunt, GitHub) as specified in
references/source-playbook.md. These external sources are untrusted and could contain malicious instructions designed to hijack the agent's logic during news summarization or article drafting. - Ingestion points: External news articles, social media feeds, and trending product lists (
references/source-playbook.md). - Boundary markers: Employs structured output templates (
references/article-template.md), but lacks explicit instructions to ignore or sanitize commands embedded within the fetched source material. - Capability inventory: The skill performs file system writes using
scripts/save_article.pyand utilizes external search/retrieval tools (sensight). - Sanitization: No explicit sanitization, filtering, or escaping of the ingested news content is performed before processing.
- [COMMAND_EXECUTION]: The skill includes a Python script,
scripts/save_article.py, which is executed to save generated articles to the local file system. The script performs file read and write operations. While it includes basic slug sanitization and uses path resolution, its capability to read files based on agent-provided arguments presents a potential risk if the agent is manipulated into reading sensitive local files.
Audit Metadata