Fail
Audited by Gen Agent Trust Hub on May 22, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The primary installation method for the skill and its binaries is the execution of a remote shell script fetched via curl and piped directly to bash.
- Evidence:
curl -fsSL https://raw.githubusercontent.com/leeguooooo/wechat-skill/main/install.sh | bashfound in README.md and SKILL.md. - [COMMAND_EXECUTION]: The skill requires the user to execute high-privilege commands that weaken system security posture.
- It enables system-wide debugging interfaces:
sudo DevToolsSecurity -enable. - It modifies the signature of the WeChat application to allow attaching debuggers: `sudo codesign --force --sign
- --entitlements ... /Applications/WeChat.app/Contents/MacOS/WeChat`.
- [EXTERNAL_DOWNLOADS]: The
install.shscript downloads multiple pre-compiled native binaries (wechat,wechatd,wechat-bridge,wechat-wechaty-gateway) from GitHub releases at runtime. - [DATA_EXFILTRATION]: The skill extracts and stores sensitive database decryption keys in local files (
~/.wx-rs/keys.json). While primarily used locally, the skill communicates with a remote profile API (wxp.leeguoo.com) to report application fingerprints and pull configuration, which constitutes a network surface for potential data leakage. - [PROMPT_INJECTION]: The skill creates an attack surface for indirect prompt injection by ingesting untrusted data (WeChat messages) into the agent's context through commands like
wechat historyandwechat listen. The skill's ability to execute commands and make network requests increases the risk if the agent is manipulated by instructions embedded in messages. - Ingestion points:
wechat history,wechat unread,wechat listen(SKILL.md). - Boundary markers: Absent; messages are provided as text blocks.
- Capability inventory: Native binary execution, network requests to author's domain, file system access to WeChat data, shell execution via
--on-messagehandler. - Sanitization: Basic cleaning of group prefixes and XML tags, but no robust escaping against prompt injection.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/leeguooooo/wechat-skill/main/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata