space-weread-coach
Pass
Audited by Gen Agent Trust Hub on May 20, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill retrieves user content from the official WeChat Reading API at
i.weread.qq.com. This communication is required for the skill to access the user's notebooks, bookmarks, and reviews. - [COMMAND_EXECUTION]: The skill runs local Python scripts included in the package to manage its data cache and history. The
pick_review.pyscript specifically usessubprocess.runto callosascriptfor displaying macOS desktop notifications. This is implemented without the shell, which significantly limits potential command injection risks. - [DATA_EXFILTRATION]: User reading data is synchronized to a local cache at
/tmp/space-weread-coach/and a state directory in the user's home folder. This storage is used to facilitate offline retrieval and historical tracking of reviewed highlights, and the data is not sent to any unauthorized third-party servers. - [PROMPT_INJECTION]: The skill processes highlights and reviews which are sourced from external user data. While this creates an indirect prompt injection surface where reading notes could theoretically contain instructions for the agent, the risk is minimized by the skill's specific focus on managing the user's own personal content from a well-known service.
Audit Metadata