zhy-wechat-publish
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The script
publish_with_cover.jsexecutes local processes viaspawnSyncto runbunandnodefor image generation and task automation. These calls use specific file paths and fixed commands withshell: falseto prevent injection.- [EXTERNAL_DOWNLOADS]: Thewechat_draft.jsscript downloads images from URLs extracted from processed HTML content to perform automated uploads to WeChat's official media APIs.- [PROMPT_INJECTION]: An indirect prompt injection surface is present where article content is utilized to generate prompts for an automated illustrator script. Ingestion point:publish_with_cover.js. Boundary markers: None. Capability inventory: Local script execution and network access. Sanitization: Basic format stripping.
Audit Metadata