wechat-prohibited-word
Pass
Audited by Gen Agent Trust Hub on Jun 12, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a core Python script (
scripts/check_sensitive_words.py) to handle file extraction, web scraping, and API communication. - [EXTERNAL_DOWNLOADS]: The skill requires standard Python libraries (
requests,python-docx,beautifulsoup4,playwright) and installs the Chromium browser for web content extraction. - [DATA_EXFILTRATION]: Extracted user content is sent to the vendor's API at
https://redfox.hk/story/api/cozeSkill/sensitiveWordSearchfor processing. This is the skill's primary function and targets the author's own infrastructure. - [CREDENTIALS_UNSAFE]: The Python script automatically reads the user's shell configuration files (e.g.,
.bashrc,.zshrc) to retrieve theREDFOX_API_KEY. This is intended for seamless configuration but involves accessing sensitive system files. - [PROMPT_INJECTION]: The skill processes untrusted data from external websites and uploaded files, creating a surface for indirect prompt injection attacks.
- Ingestion points:
extract_from_fileandextract_from_webfunctions inscripts/check_sensitive_words.py. - Boundary markers: No explicit delimiters or isolation instructions are provided to the agent when processing the fetched text.
- Capability inventory: The agent can execute scripts, perform network operations to the vendor's API, and write optimized text to local files.
- Sanitization: Content is parsed for text extraction, but the skill lacks mechanisms to prevent the agent from executing instructions potentially hidden within the scraped content.
Audit Metadata