soulflow

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The included content-pipeline workflow (workflows/content-pipeline.workflow.json and corresponding README/SKILL.md examples) explicitly instructs agents to use web_search and web_fetch to gather information from arbitrary web sources and ingest source URLs, meaning the agent will fetch and interpret untrusted public third-party content that can materially influence subsequent steps (drafting/publishing), which enables indirect prompt injection.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). Flagged: the skill explicitly tells agents to modify OpenClaw config (~/.openclaw/openclaw.json), create a dedicated worker agent, write files under /root/.openclaw, and grant that worker full tool access and inherited credentials—actions that change the host's state and enable privileged operations.