im-channels
Warn
Audited by Gen Agent Trust Hub on Apr 28, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted metadata (XML-like blocks) from IM messages. An attacker could provide a malicious
<im>block containing paths to sensitive workspace files (e.g.,.magic/config/im-channels.json). The agent is explicitly instructed to "read or process" files using the providedpathvalues without further validation or sanitization. - [DATA_EXFILTRATION]: The instructions for replying to users (especially in the WeChat reference) allow the agent to include workspace files in its responses using tags like
<file src="path">. This creates a direct path for exfiltrating sensitive data to external platforms if the path is manipulated by a malicious user or external source. The support for absolute paths in these tags further escalates the risk. - [CREDENTIALS_UNSAFE]: The skill collects and stores sensitive API keys and secrets in a known, static location (
.magic/config/im-channels.json). This predictability, combined with the file access and exfiltration capabilities mentioned above, creates a significant risk of credential theft via indirect prompt injection.
Audit Metadata