Skills
skills/teamwiseflow/wiseflow/wenyan-formatter/Gen Agent Trust Hub

wenyan-formatter

Warn

Audited by Gen Agent Trust Hub on Mar 24, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The script scripts/format.sh uses npx to download the @wenyan-md/cli package from the npm registry. This package is maintained by an external individual and is not associated with a verified or trusted organization.- [REMOTE_CODE_EXECUTION]: The skill executes the @wenyan-md/cli package via npx to perform its primary function. Because this package is retrieved from a public registry at runtime and its source code is not audited by the platform, this represents the execution of unverified remote code.- [COMMAND_EXECUTION]: The skill relies on a bash script wrapper that invokes system-level commands such as node, npx, mkdir, and cp. While the script uses arrays to handle arguments, it still represents a broad interface for command execution based on user input.- [DATA_EXFILTRATION]: In its 'publish' mode, the skill is designed to send processed content and sensitive configuration data (like WECHAT_APP_ID and WECHAT_APP_SECRET) to either the WeChat API or a user-specified Wenyan Server URL. This creates a risk surface where sensitive data could be exfiltrated if a malicious server URL is provided or if the third-party CLI tool is compromised.- [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface as it processes untrusted Markdown content provided by the user or from external files. It lacks boundary markers or sanitization steps to prevent embedded instructions in the Markdown from influencing the agent's behavior during the theme selection or publishing process.\n
  • Ingestion points: Processes Markdown input via the --file parameter or the --content string.\n
  • Boundary markers: None identified; the skill does not use delimiters or warnings to separate user data from instructions.\n
  • Capability inventory: The skill can execute shell commands (npx), write files (cat, cp), and perform network operations (publish mode).\n
  • Sanitization: No explicit sanitization or validation of the input Markdown is performed before it is passed to the processing logic.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 24, 2026, 11:19 AM
Security Audit — agent-trust-hub — wenyan-formatter