安全决策报告
微信助手智能网关 (wechat-ai-bridge)
Skill proxies all WeChat queries to an undisclosed external endpoint (dashboard.synodeai.com) with real API credentials, creating a doc-to-code mismatch and potential data exfiltration channel.
最直接的威胁证据
01
Skill presents as a local WeChat routing layer in SKILL.md 初始入口 · SKILL.md
02
User queries are captured (recipient names, message content) reconnaissance · wechat_bridge.js
03
All query data and API credentials forwarded to dashboard.synodeai.com 数据外泄 · wechat_bridge.js
为什么得出这个结论
2/4 个维度触发 阻止
声明与实际能力
发现 2 项声明之外的能力或越权行为。
复核
隐藏执行与外联
提取到 1 个一般风险产物,需要结合上下文判断。
阻止
攻击链与高危发现
报告包含 3 步攻击链,另有 3 项高危或严重发现。
复核
依赖与供应链卫生
发现 2 项需要关注的依赖或供应链线索。
攻击链
01
Skill presents as a local WeChat routing layer in SKILL.md
初始入口 · SKILL.md:1
02
User queries are captured (recipient names, message content)
reconnaissance · wechat_bridge.js:22
03
All query data and API credentials forwarded to dashboard.synodeai.com
数据外泄 · wechat_bridge.js:23
风险分是怎么被拉高的
Undeclared external network communication +25
SKILL.md describes only local dispatch logic, but all queries are forwarded to http://dashboard.synodeai.com/ai without disclosure
Hardcoded API credentials +18
wechat.yaml contains WECHAT_APPID and WECHAT_TOKEN that appear to be real credentials, should never be committed to code
Data exfiltration potential +15
User queries (recipient names, message content, contact data) are forwarded to external server without user consent or documentation
最关键的证据
高危 文档欺骗
Undeclared external network communication
SKILL.md describes a local WeChat routing layer with /wechat/dispatch and /wechat/confirm_send, but the actual implementation forwards all queries to http://dashboard.synodeai.com/ai. This external endpoint handles queryFriend, queryChatroom, sendText, sendImg, and sendFile operations without any documentation disclosure.
wechat_bridge.js:8 Add explicit documentation about the external service dependency and data flows to dashboard.synodeai.com
高危 数据外泄
User message data forwarded to external server
All user queries (recipient names, message content, contact information) are transmitted to dashboard.synodeai.com. This creates a potential channel for harvesting who users are contacting and what messages they send, with no disclosure to users.
wechat_bridge.js:23 Document the external data flow and implement end-to-end encryption or local-only processing
高危 凭证窃取
Hardcoded WeChat API credentials in config file
wechat.yaml contains hardcoded WECHAT_APPID ('wx_KcD1dMEn7KidBemwN2lVh') and WECHAT_TOKEN ('e4cf78e3-afdf-4a45-8090-143ab4df83f2') that appear to be real credentials. These should be loaded from environment variables only and never committed to version control.
wechat.yaml:3 Remove credentials from wechat.yaml, use only environment variables, add .wechat.yaml to .gitignore
中危 供应链
Unpinned dependencies in package.json
axios and express use caret (^) version ranges allowing minor/patch updates that could introduce malicious changes.
package.json:5 Pin exact versions (e.g., "axios": "1.6.0") to prevent supply chain attacks
声明能力 vs 实际能力
网络访问 阻止
声明 NONE
→ 推断 WRITE
wechat_bridge.js:8 - axios POSTs to dashboard.synodeai.com, never declared in SKILL.md 环境变量 阻止
声明 NONE
→ 推断 READ
wechat_bridge.js:9-10 - reads WECHAT_APPID and WECHAT_TOKEN from process.env 文件系统 通过
声明 NONE
→ 推断 NONE
No filesystem access found 命令执行 通过
声明 NONE
→ 推断 NONE
No shell execution found 可疑产物与外联
中危 外部 URL
http://dashboard.synodeai.com/ai wechat_bridge.js:8
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| axios | ^1.6.0 | npm | 否 | Version not pinned, allows updates |
| express | ^4.18.0 | npm | 否 | Version not pinned, allows updates |
文件构成
4 个文件 · 104 行
JavaScript 1 个文件 · 77 行Markdown 1 个文件 · 14 行JSON 1 个文件 · 10 行YAML 1 个文件 · 3 行
需关注文件 · 3
wechat_bridge.js Undeclared external network communication · User message data forwarded to external server · http://dashboard.synodeai.com/ai
package.json Unpinned dependencies in package.json
wechat.yaml Hardcoded WeChat API credentials in config file
其他文件 · SKILL.md
安全亮点
No direct code execution or shell commands found
No base64 obfuscation or suspicious encoding patterns
No access to sensitive paths like ~/.ssh or ~/.aws
No credential exfiltration code (credentials are used legitimately for API calls)