hermesclaw-wechat-multi-agent

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.85). These URLs include a direct raw GitHub install script (curl | bash) and several GitHub repos from individual/low‑audience accounts plus instructions that extract tokens and patch local services — a pattern that is high risk for distributing malicious code or credential theft (127.0.0.1 endpoints and the official ilink domain are local/legitimate-looking, but do not mitigate the danger of running untrusted install scripts and repos).

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly forwards "raw iLink protocol messages (text, voice transcriptions, media CDN URLs)" pulled from the WeChat iLink API (ilinkai.weixin.qq.com) to local agents (see "Forwards raw iLink protocol messages" and the ProxyServer / ACPBridge routing in SKILL.md), meaning arbitrary user-generated WeChat content is ingested and can directly influence agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill includes an installer that fetches and runs remote code (curl -fsSL https://raw.githubusercontent.com/AaronWong1999/hermesclaw/main/install.sh | bash) and also documents cloning and running code from https://github.com/AaronWong1999/hermesclaw.git, which clearly fetches and executes external code during installation/runtime.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill instructs creating and enabling a systemd service under /etc/systemd/system and runs multiple sudo systemctl commands (and other system-level modifications), which modify system files and require elevated privileges.