wecom-cli-enterprise-wechat
Pass
Audited by Gen Agent Trust Hub on May 16, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires the installation of the global NPM package
@wecom/clifrom the public registry and downloads an external agent skill repository from GitHub usingnpx skills add WeComTeam/wecom-cli. - [COMMAND_EXECUTION]: The skill operates by executing the
wecom-clicommand-line utility for all interactions with the WeCom platform, including file operations and data management. - [DATA_EXFILTRATION]: The skill provides capabilities to retrieve sensitive enterprise data, such as message history (
pull_messages), document content (document read), and contact lists (get_userlist), making this information available to the AI agent. - [PROMPT_INJECTION]: The skill has an attack surface for indirect prompt injection because it ingests untrusted content from external messages and documents while possessing broad modification capabilities within the same environment.
- Ingestion points: Data from the WeCom environment enters the agent context via
wecom-cli message pull_messages,wecom-cli document read, andwecom-cli smartsheet get_recordsas described in SKILL.md. - Boundary markers: The skill does not define specific delimiters or instructional warnings to prevent the agent from obeying commands embedded in the retrieved WeCom content.
- Capability inventory: The skill allows the agent to execute subprocess commands for creating and editing messages, documents, tasks, and meetings.
- Sanitization: There is no mention of sanitization or validation of the content pulled from the WeCom API before it is processed by the agent.
Audit Metadata