Wecom Voice

The skill contains multiple command injection vulnerabilities in `scripts/send-voice.cjs`. It unsafely interpolates user-provided arguments (`text` and `targetUser`) into shell commands and a PowerShell script executed with `-ExecutionPolicy Bypass`. While the script's logic aligns with its stated purpose of sending WeCom voice messages, the lack of input sanitization allows for arbitrary code execution. No clear evidence of intentional malice or data exfiltration was found, but the implementation is highly insecure.