Skills
skills/leeguooooo/wechat-skill/wechat/Gen Agent Trust Hub

wechat

Fail

Audited by Gen Agent Trust Hub on May 9, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill instructs the user to install its components using a high-risk one-liner: 'curl -fsSL https://raw.githubusercontent.com/leeguooooo/wechat-skill/main/install.sh | bash'. This executes a remote shell script from an untrusted repository directly on the host machine.
  • [EXTERNAL_DOWNLOADS]: The installation script ('install.sh') downloads pre-compiled native binaries ('wechat', 'wechatd', 'wechat-bridge', 'wechat-wechaty-gateway') from GitHub releases. These executables perform deep system hooks and cannot be audited via static analysis of the skill folder.
  • [COMMAND_EXECUTION]: The setup process requires 'sudo' privileges to enable 'DevToolsSecurity' and to perform ad-hoc codesigning on the local WeChat application ('sudo codesign --force --sign
  • --entitlements ... /Applications/WeChat.app'). This bypasses standard system protections to allow debugger attachment.
  • [COMMAND_EXECUTION]: The installer registers a persistent 'LaunchAgent' ('ai.wechat.bridge.plist') to maintain background execution of the bridge service across user sessions and appends export commands to shell profiles ('.zshrc', '.bashrc', 'config.fish').
  • [DATA_EXFILTRATION]: The skill provides automated setup for Cloudflare Tunnels ('wechat tunnel setup') to expose the local REST bridge to the internet. While intended for remote automation, this creates a network path for potential data exfiltration of private messages and contact databases if compromised.
  • [PROMPT_INJECTION]: The skill provides access to untrusted external data (WeChat messages) through 'wechat listen' and 'wechat history'. An attacker could send a crafted message to the user that, when read by the AI agent, attempts to manipulate its logic or leak information.
  • Ingestion points: 'wechat listen', 'wechat history' in 'SKILL.md'.
  • Boundary markers: Absent. User messages are presented to the agent without explicit markers or instructions to ignore embedded commands.
  • Capability inventory: The agent has the ability to send messages, read files, and interact with the local bridge server.
  • Sanitization: None. Raw message content is interpolated into the agent context.
Recommendations
  • HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/leeguooooo/wechat-skill/main/install.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 9, 2026, 08:34 AM