interactive-shell

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill runs arbitrary subprocesses and captures their terminal output (e.g., overlay and headless flows use PtyTerminalSession.getTailLines in headless-monitor.ts and session.getOutput/getTailLines in index.ts) and then transfers that output back to the main agent (via Ctrl+T transfers and pi.sendMessage dispatch notifications), which means the agent will read and act on untrusted/user-generated content produced by arbitrary CLIs (README examples include ssh, docker logs, web-facing commands), enabling indirect prompt injection.