wechat-devtools

Pass

Audited by Gen Agent Trust Hub on May 28, 2026

Risk Level: SAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill provides instructions to install the wechat-devtools-mcp package using uv and executes commands to manage the WeChat IDE lifecycle and internal CLI.
  • [REMOTE_CODE_EXECUTION]: The wechat_automator tool's evaluate action enables the execution of arbitrary JavaScript code within the WeChat simulator's logic layer, which is a core function for runtime debugging and interaction.
  • [DATA_EXFILTRATION]: Through the wechat_file tool's read_file action, the agent can read any single file on the local system. While necessary for accessing project source code, this capability could be exploited to read sensitive configuration files if the agent's path input is maliciously controlled.
  • [PROMPT_INJECTION]: The skill creates an attack surface for indirect prompt injection by ingesting and processing untrusted data from the WeChat development environment.
  • Ingestion points: The skill reads console logs via wechat_inspector, current page data via wechat_automator, and source code via wechat_file.
  • Boundary markers: There are no specified boundary markers or instructions to isolate external data from the agent's system prompts.
  • Capability inventory: The skill possesses the ability to execute shell commands, perform JavaScript evaluation, and read files from the local file system.
  • Sanitization: The documentation does not describe any sanitization, filtering, or validation processes for the data retrieved from the WeChat environment before it is provided to the agent.
Audit Metadata
Risk Level
SAFE
Analyzed
May 28, 2026, 10:43 AM
Security Audit — agent-trust-hub — wechat-devtools