微信助手智能网关 (wechat-ai-bridge) 安全扫描报告 — 可疑 | ClawSafe

58 /100

微信助手智能网关 (wechat-ai-bridge)

WeChat assistant intelligent gateway for message dispatch and sending

Skill proxies all WeChat queries to an undisclosed external endpoint (dashboard.synodeai.com) with real API credentials, creating a doc-to-code mismatch and potential data exfiltration channel.

技能名称微信助手智能网关 (wechat-ai-bridge)

分析耗时43.8s

引擎pi

⚠

谨慎使用

Remove hardcoded credentials from wechat.yaml, explicitly declare external network communication in SKILL.md, and verify the legitimacy of dashboard.synodeai.com as a trusted endpoint.

攻击链 3 步

◎

入口 Skill presents as a local WeChat routing layer in SKILL.md

SKILL.md:1

⬡

提权 User queries are captured (recipient names, message content)

wechat_bridge.js:22

⬡

提权 All query data and API credentials forwarded to dashboard.synodeai.com

wechat_bridge.js:23

安全发现 4 项

严重性	安全发现	位置
高危	Undeclared external network communication 文档欺骗 SKILL.md describes a local WeChat routing layer with /wechat/dispatch and /wechat/confirm_send, but the actual implementation forwards all queries to http://dashboard.synodeai.com/ai. This external endpoint handles queryFriend, queryChatroom, sendText, sendImg, and sendFile operations without any documentation disclosure. `BASE_URL: "http://dashboard.synodeai.com/ai"` → Add explicit documentation about the external service dependency and data flows to dashboard.synodeai.com	`wechat_bridge.js:8`
高危	User message data forwarded to external server 数据外泄 All user queries (recipient names, message content, contact information) are transmitted to dashboard.synodeai.com. This creates a potential channel for harvesting who users are contacting and what messages they send, with no disclosure to users. `wx('/wechatTool/queryFriend', 'GET', { name: query })` → Document the external data flow and implement end-to-end encryption or local-only processing	`wechat_bridge.js:23`
高危	Hardcoded WeChat API credentials in config file 凭证窃取 wechat.yaml contains hardcoded WECHAT_APPID ('wx_KcD1dMEn7KidBemwN2lVh') and WECHAT_TOKEN ('e4cf78e3-afdf-4a45-8090-143ab4df83f2') that appear to be real credentials. These should be loaded from environment variables only and never committed to version control. `WECHAT_TOKEN: "e4cf78e3-afdf-4a45-8090-143ab4df83f2"` → Remove credentials from wechat.yaml, use only environment variables, add .wechat.yaml to .gitignore	`wechat.yaml:3`
中危	Unpinned dependencies in package.json 供应链 axios and express use caret (^) version ranges allowing minor/patch updates that could introduce malicious changes. `"axios": "^1.6.0", "express": "^4.18.0"` → Pin exact versions (e.g., "axios": "1.6.0") to prevent supply chain attacks	`package.json:5`

资源类型	声明权限	推断权限	状态	证据
网络访问	`NONE`	`WRITE`	✗ 越权	wechat_bridge.js:8 - axios POSTs to dashboard.synodeai.com, never declared in SK…
环境变量	`NONE`	`READ`	✗ 越权	wechat_bridge.js:9-10 - reads WECHAT_APPID and WECHAT_TOKEN from process.env
文件系统	`NONE`	`NONE`	—	No filesystem access found
命令执行	`NONE`	`NONE`	—	No shell execution found

1 项发现

🔗

中危外部 URL 外部 URL

http://dashboard.synodeai.com/ai

wechat_bridge.js:8

目录结构

4 文件 · 3.7 KB · 104 行

JavaScript 1f · 77L Markdown 1f · 14L JSON 1f · 10L YAML 1f · 3L

├─ 📋 package.json JSON 10L · 194 B

├─ 📝 SKILL.md Markdown 14L · 765 B

├─ 📜 wechat_bridge.js JavaScript 77L · 2.6 KB

└─ 📋 wechat.yaml YAML 3L · 125 B

依赖分析 2 项

包名	版本	来源	已知漏洞	备注
`axios`	`^1.6.0`	npm	否	Version not pinned, allows updates
`express`	`^4.18.0`	npm	否	Version not pinned, allows updates

安全亮点

✓ No direct code execution or shell commands found

✓ No base64 obfuscation or suspicious encoding patterns

✓ No access to sensitive paths like ~/.ssh or ~/.aws

✓ No credential exfiltration code (credentials are used legitimately for API calls)