wechat-writer

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.70). Yes — the prompt explicitly instructs the agent to "be a living person" (impersonate a human) which is a deceptive instruction outside the stated purpose of a writing-assistant skill and thus constitutes a prompt-injection-style directive to misrepresent identity.

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly asks users to paste API keys/AppSecret (e.g., "配图密钥是 sk-xxxx"/AppID/AppSecret) and instructs the agent to write those values into config files and run validation/upload scripts, which requires the LLM to handle and emit the secret values verbatim (e.g., config content or commands), creating an exfiltration risk despite masked receipts.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly auto-fetches and scrapes arbitrary user-supplied URLs (including mp.weixin.qq.com and other public web pages via WebFetch/Playwright) and ingests that untrusted, user-generated content to extract titles, learn styles, update persona, and drive downstream actions as described in WORKFLOW.md "URL 检测与文章抓取" and SKILL.md parameter rules, so third‑party pages can materially influence its decisions and tool use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly fetches user-supplied webpages at runtime (notably mp.weixin.qq.com) via Playwright (installed/used at runtime) and injects the scraped article content into the agent’s learning/generation pipeline, so mp.weixin.qq.com is a runtime external dependency whose fetched content directly controls prompts/instructions.