wechat-rpa-bot
Audited by Snyk on May 11, 2026
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 1.00). The skill instructs the agent to ask the user for an Activation Code and then send it verbatim in a POST request body (and also includes an explicit X-API-Key header example), which requires the LLM to handle and emit secret values directly.
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.90). These URLs include a direct download of a Windows executable (service.exe) served from a personal/possibly impersonating GitHub account (LeoMusk) together with instructions to create and run desktop .bat files and to contact an external activation site (www.yokoagi.com) — downloading/executing binaries from an untrusted, low‑known GitHub user and running them on the desktop is a high‑risk pattern for malware distribution (local 127.0.0.1 endpoints themselves are benign, but the workflow depends on the untrusted executable).
CRITICAL E006: Malicious code pattern detected in skill scripts.
- Malicious code pattern detected (high risk: 0.90). The skill includes multiple deliberate abuse patterns — automated download/exec of an unsigned binary, instructions to collect and forward user JWT/activation tokens to external services, social-engineering to have users launch persistent desktop processes, and an always-running local WebSocket/HTTP bridge that can be commanded programmatically — together these enable credential exfiltration, supply‑chain/backdoor installation and persistent remote control risk.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.80). The skill's required SOP (docs/auto_config_sop.md Step 3 and SKILL.md activation/install steps) instructs the agent to fetch and parse responses from external services (e.g., POST https://fireflow.yokoagi.com/v1/agent/apps/initialize and downloading service.exe from the GitHub Releases URL), and to ingest those third‑party responses (appName/apiKey, binaries) into configuration and runtime actions, so untrusted public content can directly influence tool use and decisions.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill contains clear runtime instructions to fetch and run remote code (e.g., curl -L -o service.exe https://github.com/LeoMusk/wechat-rpa-bot-skill/releases/download/v1.7.0/service.exe and git clone https://github.com/LeoMusk/wechat-rpa-bot-skill.git) and also calls an external workflow API (https://fireflow.yokoagi.com/v1/agent/apps/initialize) that returns apiKeys/workflow data used to configure agent behavior, so these URLs are runtime dependencies that execute remote code or directly control agent prompts.
MEDIUM W013: Attempt to modify system services in skill instructions.
- Attempt to modify system services in skill instructions detected (high risk: 0.80). This skill tells the agent to download and place an executable, create and write desktop .bat files, start/stop background services, kill processes and launch detached listeners—actions that modify the host system state and enable persistent/privileged behavior (even though it doesn't request sudo), so it poses a significant risk.
Issues (6)
Insecure credential handling detected in skill instructions.
Suspicious download URL detected in skill instructions.
Malicious code pattern detected in skill scripts.
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Attempt to modify system services in skill instructions.