wecom-cs-automation

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly ingests arbitrary user-generated messages via the webhook (wecom_callback / handle_message and workflows/answer_question.py) and feeds that content into KB search and LLM prompt generation which drive replies and escalation logic, so untrusted third‑party content can materially influence agent actions and enable indirect prompt injection.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill includes explicit privileged setup steps (e.g., sudo apt install postgresql-14, sudo -u postgres psql commands, checking ufw, writing system-level logs) that modify the host system state and require sudo access, so it can push an agent to perform privileged changes.