baoyu-wechat-summary

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly runs wx-cli (e.g., wx history ... --json) to ingest WeChat group messages (user-generated chat content from the WeChat data directory) and SKILL.md shows the agent must read and interpret those messages (Rounds 1–3) — even using in-chat digest text to adjust anchors/behavior (Step 3.8) — so untrusted third-party content can materially influence actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill explicitly requires disabling the runtime sandbox (dangerouslyDisableSandbox) and instructs/encourages running sudo chown/sudo wx init and other privileged commands that modify user-owned system files, which asks the agent to bypass security boundaries and perform privileged state changes.