qq-quoted-image-recovery

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md workflow explicitly instructs the agent to call OneBot get_msg to recover quoted QQ message payloads, download user-generated image media into .run/artifacts/, and (if needed) send recovered artifacts to a vision model, which means untrusted third-party (user) content is fetched and interpreted as part of the skill (see Workflow steps 2–5 and Local-First Inspection rules).