wechat-writer
Pass
Audited by Gen Agent Trust Hub on Apr 12, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill communicates with well-known and trusted technology services, including Google's Gemini API, OpenAI's DALL-E API, and VolcEngine's Jimeng API for image generation. These interactions are standard for the skill's stated purpose.
- [CREDENTIALS_UNSAFE]: The skill appropriately manages sensitive credentials (API keys) by instructing the user to store them in environment variables rather than hardcoding them in the scripts or documentation.
- [COMMAND_EXECUTION]: The skill uses the
Bashtool to execute internal Python scripts (scripts/generate_image.py) for image generation. These scripts are provided as part of the skill and perform limited, well-defined tasks without executing arbitrary user input. - [DATA_EXFILTRATION]: No indicators of sensitive data exfiltration were found. Network operations are restricted to searching the web for article content and interacting with official image generation APIs.
- [INDIRECT_PROMPT_INJECTION]: The skill has an ingestion surface for untrusted data via
WebSearchandWebFetchtools (documented inSKILL.md). While boundary markers are not explicitly defined in the prompt instructions to delineate external content, the capability inventory (local script execution and file writing) is appropriately scoped to the skill's primary function of article generation.
Audit Metadata