weixin-agent-sdk

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's runtime message loop (start(agent)) ingests untrusted, user-generated WeChat content (see "Incoming (WeChat → Agent)" and examples where req.text and downloaded media are passed to the Agent), and also auto-downloads arbitrary HTTPS remote URLs (see "Remote image URL" / troubleshooting), meaning third-party content is read and can directly influence agent behavior.