wechat-article

Pass

Audited by Gen Agent Trust Hub on Jun 24, 2026

Risk Level: SAFE
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses subprocess.run to call its internal Python scripts for cover generation and publishing. It also utilizes the curl command-line tool specifically for uploading image assets to the WeChat API. These calls are implemented using list-based argument passing, which is a secure practice to prevent shell command injection.
  • [CREDENTIALS_UNSAFE]: The skill requires WeChat appid and appsecret for functionality. It instructs the agent to solicit these from the user and store them in a local configuration file (wechat-article.config.json). These credentials are only used to communicate with the official WeChat API domain (api.weixin.qq.com).
  • [PROMPT_INJECTION]: A robust security gate is implemented in the workflow requiring the user to explicitly type "确认发布" (confirm publish) after reviewing the article and cover preview. This prevents the agent from autonomously publishing content without direct human approval.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 24, 2026, 10:32 PM
Security Audit — agent-trust-hub — wechat-article