Skills
skills/vibe-motion/skills/wechat-2d-render/Gen Agent Trust Hub

wechat-2d-render

Fail

Audited by Gen Agent Trust Hub on Apr 27, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill clones a third-party repository from https://github.com/sxhzju/wechat-2d.git to the user's workspace. This source is not verified or pinned to a specific secure version.
  • [REMOTE_CODE_EXECUTION]: After cloning the external repository, the script executes pnpm install and pnpm run remotion:render. This pattern runs arbitrary code (including post-install scripts and build logic) defined in the external repository's package.json.
  • [COMMAND_EXECUTION]: The script accepts positional arguments for workspace_dir, output_path, and props_file. These values are used in shell commands and environment variable assignments, which could lead to command injection if the calling environment does not properly sanitize the inputs.
  • [DATA_EXPOSURE]: The script prints absolute file paths to the console upon completion, potentially revealing the internal directory structure of the host environment.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Apr 27, 2026, 03:58 AM