handoff

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests and acts on arbitrary user-generated Lark chat content (see SKILL.md Main Loop Step 3 and Step 4, plus commands like download-file/merge-forward and the lark_im-based wait_for_reply.py / send_and_wait.py flows) — the agent downloads messages/files/threads from external chats and treats them as input that can drive tool use (run commands, edit files, approve actions), which creates a clear vector for indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's runtime scripts call the configured Cloudflare Worker URL (e.g. https://.workers.dev — shown in examples like https://.workers.dev/poll/test?timeout=1) to poll for card actions and user replies, and those responses directly control prompts/permission decisions and the handoff loop, making the external worker a required runtime dependency that can control the agent.