lingzhu

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The plugin exposes the agent to untrusted third‑party content because its HTTP SSE endpoint (/metis/agent/api/sse — implemented in extension/src/http-handler.ts and documented in references/install.md) accepts messages and image URLs from the Lingzhu platform which are downloaded (downloadImageToFile) and fed into OpenClaw/OpenAI processing, and the model's responses (and parsed message text) are used to trigger device tool calls (see extension/src/transform.ts), so external/user-provided content can directly influence tool invocation and agent behavior.