baoyu-post-to-wechat
Pass
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes platform-specific commands to facilitate browser automation and system interaction, including
osascripton macOS for accessibility and keystroke simulation,powershell.exeon Windows for clipboard and input management, andxdotoolorydotoolon Linux. - [COMMAND_EXECUTION]: During environment checks and clipboard operations on macOS, the skill dynamically generates and executes local Swift scripts to handle rich media data like images, which is a standard procedure for this platform's clipboard integration.
- [EXTERNAL_DOWNLOADS]: The article publishing scripts are capable of fetching remote images via HTTP/S if URLs are provided in the article body or metadata, allowing the agent to process and upload these assets to WeChat's servers.
- [COMMAND_EXECUTION]: The skill uses
agent-browser, a specialized CLI tool, to perform high-level browser automation tasks such as navigating the WeChat dashboard and interacting with the editor UI. - [DATA_EXFILTRATION]: A feature in the browser-based posting workflow allows users to send the WeChat login QR code to a private Telegram bot if specific bot credentials are provided in the environment; this is a documented convenience feature for remote login scenarios.
Audit Metadata