wechat-mp-scraper
Pass
Audited by Gen Agent Trust Hub on Apr 12, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the AI agent to execute a Python script (
scripts/scrape_wechat_mp.py) to perform its primary function. This script is part of the skill's distribution and uses the standard Python library. - [EXTERNAL_DOWNLOADS]: The Python script performs network operations to fetch HTML content from
mp.weixin.qq.com. It also downloads assets (images, background images) found within the article content to a local directory (~/wechat-mp-scraper-runs). The script includes a validation check to restrict the article URL to the official WeChat domain. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because it ingests and processes untrusted content from external WeChat articles.
- Ingestion points:
scripts/scrape_wechat_mp.pyfetches article HTML and assets, which are then saved ascontent.md,content.json, andreport.md. - Boundary markers: The instructions do not define clear delimiters or warnings to the agent to ignore instructions embedded within the scraped content.
- Capability inventory: The agent has the capability to execute the Python script via
python3and read the generated output files. - Sanitization: The script performs text normalization and HTML unescaping but does not sanitize the content for potential malicious prompt instructions targeted at the agent.
Audit Metadata