wechat-article-extractor

Fail

Audited by Gen Agent Trust Hub on Jun 5, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The script scripts/extract.js extracts JavaScript code blocks from the HTML of scraped WeChat articles and executes them using the new Function() constructor to parse metadata and configuration objects. This pattern allows code from an untrusted external source (the website being scraped) to run within the agent's execution environment.
  • Evidence: Multiple calls to new Function() in scripts/extract.js (lines 191, 218, 228, 245, 313) where the executed string is partially or fully derived from the remote page's content.
  • [PROMPT_INJECTION]: The skill retrieves and processes untrusted content from external WeChat articles and Sogou search results, creating a surface for indirect prompt injection attacks.
  • Ingestion points: scripts/extract.js fetches data from mp.weixin.qq.com and weixin.sogou.com.
  • Boundary markers: None present; the extracted HTML content is returned to the agent in the msg_content field without delimiters or instructions to ignore embedded commands.
  • Capability inventory: The skill has network access via request-promise and the capability to execute code via new Function().
  • Sanitization: The skill performs only basic HTML unescaping and string replacements, which are insufficient to prevent malicious instructions from influencing the agent.
  • [DATA_EXFILTRATION]: The skill performs outbound network operations to fetch content from WeChat and Sogou, and sends data (including user prompts and reference images) to the Canghe AI API.
  • Evidence: GET requests to WeChat/Sogou in scripts/extract.js and POST requests to api.canghe.ai in canghe-image-gen/scripts/generate_image.py.
  • [EXTERNAL_DOWNLOADS]: The skill includes functionality to download images from arbitrary URLs provided in the API response or by the user.
  • Evidence: download_image function in canghe-image-gen/scripts/generate_image.py.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Jun 5, 2026, 08:26 AM
Security Audit — agent-trust-hub — wechat-article-extractor