安全决策报告
wechat_bridge
WeChat bridge skill contains hardcoded credentials in wechat.yaml and uses plaintext HTTP, creating credential exposure and MITM risks that are partially mitigated but not fully declared in SKILL.md.
最直接的威胁证据
高危 凭证窃取
Hardcoded credentials in wechat.yaml The wechat.yaml file contains plaintext WeChat API credentials (APPID and TOKEN). These should not be stored in configuration files that may be shared or committed to repositories.
wechat.yaml:2 为什么得出这个结论
2/4 个维度触发 阻止
声明与实际能力
发现 1 项声明之外的能力或越权行为。
复核
隐藏执行与外联
提取到 3 个一般风险产物,需要结合上下文判断。
阻止
攻击链与高危发现
报告包含 0 步攻击链,另有 2 项高危或严重发现。
通过
依赖与供应链卫生
依赖结构存在,但暂未看到明显高危告警。
风险分是怎么被拉高的
Hardcoded credentials in config file +20
wechat.yaml contains WECHAT_APPID and WECHAT_TOKEN in plaintext
Plaintext HTTP communication +15
BASE_URL uses http://dashboard.synodeai.com/ai allowing credential interception
Unauthenticated local endpoints +10
No authentication on /wechat/dispatch and /wechat/confirm_send endpoints
最关键的证据
高危 凭证窃取
Hardcoded credentials in wechat.yaml
The wechat.yaml file contains plaintext WeChat API credentials (APPID and TOKEN). These should not be stored in configuration files that may be shared or committed to repositories.
wechat.yaml:2 Remove hardcoded credentials. Use environment variables exclusively and document the required environment variables in SKILL.md.
高危 敏感访问
Plaintext HTTP communication exposes credentials
The BASE_URL is configured to use http:// instead of https://, meaning credentials are transmitted in plaintext over the network, vulnerable to MITM attacks.
wechat_bridge.js:10 Change to HTTPS: 'https://dashboard.synodeai.com/ai' and ensure the server supports TLS.
中危 权限提升
No authentication on local endpoints
The /wechat/dispatch and /wechat/confirm_send endpoints have no authentication, allowing any local process or user to send WeChat messages.
wechat_bridge.js:21 Add authentication middleware (e.g., API key, JWT) to protect message-sending endpoints.
中危 文档欺骗
Credential handling not declared in SKILL.md
SKILL.md does not document that the skill reads WECHAT_APPID and WECHAT_TOKEN from environment variables, nor does it warn about the bundled credentials in wechat.yaml.
SKILL.md:1 Document required environment variables (WECHAT_APPID, WECHAT_TOKEN), warn against using bundled credentials, and explain the trust requirement for the external gateway.
声明能力 vs 实际能力
网络访问 阻止
声明 NONE
→ 推断 WRITE
wechat_bridge.js:13 - Makes outbound HTTP POST/GET requests to external domain 环境变量 通过
声明 NONE
→ 推断 READ
wechat_bridge.js:10-11 - Reads WECHAT_APPID and WECHAT_TOKEN from process.env 可疑产物与外联
中危 外部 URL
https://clawhub.ai/user/aw11100 skill-card.md:7
中危 外部 URL
https://clawhub.ai/aw11100/wechat-new-tool skill-card.md:29
中危 外部 URL
http://dashboard.synodeai.com/ai wechat_bridge.js:8
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| axios | ^1.6.0 | npm | 否 | Version range allows minor updates |
| express | ^4.18.0 | npm | 否 | Version range allows minor updates |
文件构成
6 个文件 · 151 行
JavaScript 1 个文件 · 77 行Markdown 2 个文件 · 56 行JSON 2 个文件 · 15 行YAML 1 个文件 · 3 行
需关注文件 · 4
wechat_bridge.js Plaintext HTTP communication exposes credentials · No authentication on local endpoints · http://dashboard.synodeai.com/ai
skill-card.md https://clawhub.ai/user/aw11100 · https://clawhub.ai/aw11100/wechat-new-tool
SKILL.md Credential handling not declared in SKILL.md
wechat.yaml Hardcoded credentials in wechat.yaml
其他文件 · package.json · _meta.json
安全亮点
skill-card.md appropriately documents known risks including credential exposure and unauthenticated endpoints
The code is relatively straightforward without obfuscation or hidden functionality
Uses standard axios and express libraries from npm
No evidence of credential exfiltration beyond legitimate WeChat API usage
Confirmation flow provides user control before final message sending