baoyu-wechat-summary
Warn
Audited by Gen Agent Trust Hub on May 25, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill includes explicit directives to the AI agent to bypass platform security constraints. In the 'Sandbox restriction' section of SKILL.md, it instructs the agent that every command 'needs to run with dangerouslyDisableSandbox: true from the start — don't waste a sandbox attempt first.'
- [DATA_EXFILTRATION]: The skill is designed to read sensitive personal data from local directories, specifically the WeChat data directory ('
/Library/Containers/com.tencent.xinWeChat/' on macOS) and the wx-cli configuration directory ('/.wx-cli/'). This grants the agent access to private communication history. - [COMMAND_EXECUTION]: The skill's primary functionality depends on executing an external shell command 'wx' (part of the '@jackwener/wx-cli' package). It provides the agent with instructions on how to handle session initialization, daemon management, and troubleshooting through the command line.
- [INDIRECT_PROMPT_INJECTION]: The skill ingests and processes untrusted data in the form of WeChat group messages via the 'wx history' command.
- Ingestion points: Raw message content is pulled into the agent's context through JSON objects returned by the external binary (SKILL.md Step 3).
- Boundary markers: The instructions do not define boundary markers or 'ignore' warnings for the processed message content.
- Capability inventory: The agent has the capability to read and write files (history.json, profile files, and digest markdown files) and execute shell commands.
- Sanitization: There is no mention of sanitizing or escaping the text content before the agent summarizes or quotes it.
Audit Metadata