zhy-wechat-writing
Fail
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill requests access to the user's Chrome profile directory via the
wechat_profile_dirinput. Browser profiles contain highly sensitive information including session cookies, saved passwords, and history. Accessing these directories poses a high risk of credential exposure or session hijacking. - [COMMAND_EXECUTION]: The workflow relies on executing local Node.js scripts (e.g.,
node <zhy-article-illustrator>/scripts/illustrate-article.ts) using string-interpolated arguments. If inputs likeslugortopicare not strictly sanitized, they could be exploited for command injection attacks. - [EXTERNAL_DOWNLOADS]: The documentation instructs users to install the skill and its dependencies from an external GitHub repository (
https://github.com/zhylq/yuan-skills). While these resources belong to the vendor, downloading and executing code from external repositories is an inherent security risk. - [PROMPT_INJECTION]: The skill features an indirect prompt injection surface. It uses
webfetchto ingest untrusted content from the web andWebSearchresults to build an 'evidence pool'. This content is then processed by the LLM to generate articles and perform 'smart reviews', which could allow malicious instructions hidden in external web pages to influence the agent's behavior. - Ingestion points: Material collection phase in
SKILL.md(Step 1) usingwebfetchandWebSearch. - Boundary markers: None explicitly defined in the prompt templates to delimit external content from instructions.
- Capability inventory: File writing (Phase 0), network fetching (
webfetch), and subprocess execution (Steps 6, 7, 8). - Sanitization: Mentions removing 'AI traces' but does not specify technical sanitization or escaping of ingested web content before it is processed.
Recommendations
- AI detected serious security threats
Audit Metadata