xiaolvs-pipeline

Fail

Audited by Gen Agent Trust Hub on Jun 29, 2026

Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The script scripts/wecom_bot_service.py uses subprocess.run to execute the codebuddy CLI tool. The command includes the --dangerously-skip-permissions flag, which bypasses the agent's built-in security guardrails and allows it to perform sensitive operations without user intervention.
  • [PROMPT_INJECTION]: In scripts/wecom_bot_service.py, the handle_message function takes raw message content from WeChat users and passes it to _generate_task. This function interpolates the untrusted content directly into a system prompt for codebuddy. This is a classic prompt injection vulnerability, enabling any user who can chat with the bot to issue commands to the underlying host system.
  • [EXTERNAL_DOWNLOADS]: The script scripts/start_tunnel.sh utilizes localhost.run to expose the local bot server to the public internet via an SSH tunnel (*.lhr.life). External security scanners have identified these domains as malicious due to their common use in phishing and command-and-control operations.
  • [REMOTE_CODE_EXECUTION]: The combination of a public SSH tunnel (exposing the local listener) and the bridge to the codebuddy agent (which executes commands with skipped permissions) creates a remote code execution (RCE) vector. An attacker can send malicious chat messages to the bot to execute arbitrary code on the system hosting the skill.
  • [CREDENTIALS_UNSAFE]: While the skill uses environment variables for most secrets, scripts/wecom_bot_service.py contains placeholder values for BOT_TOKEN and BOT_AES_KEY. Additionally, the skill's workflow stores persistent authentication states for Xiaohongshu and WeChat in the user's home directory (~/.xiaohongshu/storage_state.json), which could be exfiltrated if the host is compromised.
Recommendations
  • AI detected serious security threats
  • Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata
Risk Level
HIGH
Analyzed
Jun 29, 2026, 02:00 AM
Security Audit — agent-trust-hub — xiaolvs-pipeline