xiaolvs-pipeline
Fail
Audited by Gen Agent Trust Hub on Jun 29, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/wecom_bot_service.pyusessubprocess.runto execute thecodebuddyCLI tool. The command includes the--dangerously-skip-permissionsflag, which bypasses the agent's built-in security guardrails and allows it to perform sensitive operations without user intervention. - [PROMPT_INJECTION]: In
scripts/wecom_bot_service.py, thehandle_messagefunction takes raw message content from WeChat users and passes it to_generate_task. This function interpolates the untrusted content directly into a system prompt forcodebuddy. This is a classic prompt injection vulnerability, enabling any user who can chat with the bot to issue commands to the underlying host system. - [EXTERNAL_DOWNLOADS]: The script
scripts/start_tunnel.shutilizeslocalhost.runto expose the local bot server to the public internet via an SSH tunnel (*.lhr.life). External security scanners have identified these domains as malicious due to their common use in phishing and command-and-control operations. - [REMOTE_CODE_EXECUTION]: The combination of a public SSH tunnel (exposing the local listener) and the bridge to the
codebuddyagent (which executes commands with skipped permissions) creates a remote code execution (RCE) vector. An attacker can send malicious chat messages to the bot to execute arbitrary code on the system hosting the skill. - [CREDENTIALS_UNSAFE]: While the skill uses environment variables for most secrets,
scripts/wecom_bot_service.pycontains placeholder values forBOT_TOKENandBOT_AES_KEY. Additionally, the skill's workflow stores persistent authentication states for Xiaohongshu and WeChat in the user's home directory (~/.xiaohongshu/storage_state.json), which could be exfiltrated if the host is compromised.
Recommendations
- AI detected serious security threats
- Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata