Skills
skills/jianshuo/claude-skills/wjs-publishing-wechat/Gen Agent Trust Hub

wjs-publishing-wechat

Fail

Audited by Gen Agent Trust Hub on May 30, 2026

Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: The skill relies heavily on executing shell commands and external CLI tools through subprocess.run and backtick expansion across its script library. Examples include:
  • Use of macOS utilities sips, pbcopy, osascript, and open in scripts/publish.sh for image processing, clipboard management, and browser interaction.
  • Execution of the md2wechat CLI tool for uploading drafts and images to WeChat servers.
  • Calling node to run logic from the gpt-image-2-skill dependency.
  • [REMOTE_CODE_EXECUTION]: The script scripts/fetch-comments-via-gstack.sh implements a high-privilege capability by executing dynamically constructed JavaScript code inside a browser context.
  • Evidence: The browse_fetch function generates a JavaScript string containing a fetch() call (parameterized via json.dumps) and executes it using browse js. This allows the skill to perform authenticated requests within the user's active WeChat session in the browser. While intended for comment retrieval, such dynamic code execution in a sensitive browser environment is a high-risk pattern.
  • [EXTERNAL_DOWNLOADS]: The skill automates the download and setup of external third-party code.
  • Evidence: The README.md and SKILL.md instruct the user to git clone the gpt-image-2-skill repository. The image generation scripts (gen-cover-ai.sh and gen-illustration.sh) directly execute JavaScript wrappers from this external repository located in the user's home directory.
  • [DATA_EXFILTRATION]: The skill manages highly sensitive credentials and session data required for WeChat interactions.
  • Evidence: It processes WECHAT_APPID, WECHAT_SECRET, and browser cookies to authenticate with WeChat's official and internal APIs. Scripts like fetch-comments-by-cookie.sh require users to manually provide session cookies from their browser, which are then used for network requests to WeChat domains.
  • [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted external data (WeChat comments) which are interpolated into article drafts, creating a surface for indirect prompt injection.
  • Evidence Chain:
  • Ingestion points: Comments are fetched into comments.md (via discover-prev-elected.sh).
  • Boundary markers: None. Comments are formatted directly into article content.
  • Capability inventory: Subprocess execution, browser manipulation, and file writes.
  • Sanitization: Minimal; comments are parsed with regular expressions and embedded into HTML templates.
Recommendations
  • HIGH: Downloads and executes remote code from: unknown (check file) - DO NOT USE without thorough review
Audit Metadata
Risk Level
HIGH
Analyzed
May 30, 2026, 12:48 AM
Security Audit — agent-trust-hub — wjs-publishing-wechat