qclaw-rules

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). Yes — the SKILL.md "## 1. 浏览器自动化任务" workflow explicitly requires opening target URLs with the isolated browser (使用 computer tool 的 browser 操作) to fetch and interact with web pages, which means the agent will ingest arbitrary public/third-party web content that can influence subsequent actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.70). It mandates automatically attempting to install missing skill dependencies "按系统支持的安装方式执行" and to modify workspace files (auto-writing USER.md), which implicitly encourages running system package/install commands that can change the host state and may require elevated privileges.