handoff

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs the agent to extract session_id/project_dir from JSON and embed them verbatim into subsequent shell commands (e.g., HANDOFF_SESSION_ID="<session_id>" python3 ...), and also shows curl examples with Authorization headers, which forces the LLM to handle and output secret-like values directly.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly receives and processes untrusted, user-generated content from external Lark groups—e.g., wait_for_reply.py / send_and_wait.py and handoff_ops.py (download-image, download-file, merge-forward) and permission_bridge.py poll card actions—and treats that content as input that drives decisions and tool usage (approving permissions, running commands, editing files) during the handoff loop.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly polls and interacts at runtime with a user-provided Cloudflare Worker endpoint (worker_url, e.g. https://.workers.dev) to fetch card actions/replies that are injected into the agent loop and drive prompts/permission decisions, and the worker_url is a required dependency for handoff to function.