The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill's primary function relies on downloading a pre-compiled binary (wechat-cli) from a personal GitHub repository (leeguooooo/wechat-skill) and executing it locally. The source code for this binary is explicitly stated to be in a private repository, making its behavior unverifiable.
[EXTERNAL_DOWNLOADS]: Both README.md and install.sh contain instructions to download a binary from a remote URL (https://github.com/leeguooooo/wechat-skill/releases/latest/download/wechat-cli) and move it to a system path (/usr/local/bin).
[COMMAND_EXECUTION]: The skill executes various system commands to prepare the environment, including curl, chmod, xattr, and sudo install. The wechat-cli tool itself invokes lldb to attach to and manipulate the memory of the running WeChat process, which is a highly invasive technique typically associated with exploitation or reverse engineering.
[PRIVILEGE_ESCALATION]: The installation script requests elevated privileges via sudo to write to /usr/local/bin. Additionally, the skill requires the user to grant 'Accessibility' permissions to the Terminal, which provides the ability to control the UI and observe other applications.
[INDIRECT_PROMPT_INJECTION]: The skill provides a surface for indirect injection as it ingests untrusted user input (via the --text argument) which is then processed by the wechat-cli tool and injected into the WeChat process memory using LLDB.
Ingestion points: The agent takes user-provided text and contact IDs as arguments for the CLI tool.
Boundary markers: None identified in the provided instructions.
Capability inventory: The skill has the capability to execute shell commands and manipulate the memory of external processes (WeChat) via LLDB.
Sanitization: There is no evidence of sanitization or escaping of the user-provided text before it is passed to the shell or injected into process memory.

wechat-cli