skills/leeguooooo/wechat-skill/wechat/Gen Agent Trust Hub

wechat

Fail

Audited by Gen Agent Trust Hub on May 22, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The primary installation method for the skill and its binaries is the execution of a remote shell script fetched via curl and piped directly to bash.
  • Evidence: curl -fsSL https://raw.githubusercontent.com/leeguooooo/wechat-skill/main/install.sh | bash found in README.md and SKILL.md.
  • [COMMAND_EXECUTION]: The skill requires the user to execute high-privilege commands that weaken system security posture.
  • It enables system-wide debugging interfaces: sudo DevToolsSecurity -enable.
  • It modifies the signature of the WeChat application to allow attaching debuggers: `sudo codesign --force --sign
  • --entitlements ... /Applications/WeChat.app/Contents/MacOS/WeChat`.
  • [EXTERNAL_DOWNLOADS]: The install.sh script downloads multiple pre-compiled native binaries (wechat, wechatd, wechat-bridge, wechat-wechaty-gateway) from GitHub releases at runtime.
  • [DATA_EXFILTRATION]: The skill extracts and stores sensitive database decryption keys in local files (~/.wx-rs/keys.json). While primarily used locally, the skill communicates with a remote profile API (wxp.leeguoo.com) to report application fingerprints and pull configuration, which constitutes a network surface for potential data leakage.
  • [PROMPT_INJECTION]: The skill creates an attack surface for indirect prompt injection by ingesting untrusted data (WeChat messages) into the agent's context through commands like wechat history and wechat listen. The skill's ability to execute commands and make network requests increases the risk if the agent is manipulated by instructions embedded in messages.
  • Ingestion points: wechat history, wechat unread, wechat listen (SKILL.md).
  • Boundary markers: Absent; messages are provided as text blocks.
  • Capability inventory: Native binary execution, network requests to author's domain, file system access to WeChat data, shell execution via --on-message handler.
  • Sanitization: Basic cleaning of group prefixes and XML tags, but no robust escaping against prompt injection.
Recommendations
  • HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/leeguooooo/wechat-skill/main/install.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 22, 2026, 12:46 AM
Security Audit — agent-trust-hub — wechat