baoyu-wechat-summary
Warn
Audited by Gen Agent Trust Hub on May 14, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill requires disabling the security sandbox via
dangerouslyDisableSandbox: trueto execute shell commands using thewxbinary and other utilities such asls,jq,wc, andrm. This grants the agent broad access to the local environment and sensitive files.\n- [DATA_EXFILTRATION]: The skill is designed to access and summarize sensitive data from the user's local WeChat directories (~/Library/Containers/com.tencent.xinWeChat/) and CLI configurations (~/.wx-cli/). While it does not include explicit exfiltration commands, the exposure of private chat history in a high-privilege context represents a significant data exposure risk.\n- [EXTERNAL_DOWNLOADS]: The skill relies on an external third-party dependency,wx-cli, which must be installed from a third-party GitHub repository (jackwener/wx-cli).\n- [PROMPT_INJECTION]: The skill processes untrusted chat messages from WeChat groups. This creates an indirect prompt injection surface where a malicious message could attempt to exploit the agent's high-privilege shell access.\n - Ingestion points: Chat history retrieved via
wx historyand parsed as JSON (SKILL.md Step 3).\n - Boundary markers: There are no explicit delimiters or system instructions defined to prevent the agent from interpreting message content as executable commands.\n
- Capability inventory: Shell execution with sandbox disabled, and file system read/write access to the host environment (SKILL.md Workflow).\n
- Sanitization: No sanitization is performed on message content to detect or filter potential prompt injection patterns.
Audit Metadata