rmwt

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's workflow and scripts (SKILL.md + scripts/list_workspace_groups.py and scripts/dissolve_groups.py) call the Lark API (list_bot_chats/get_chat_info) to fetch chat metadata/descriptions (user-generated content) and use that content to decide which bot-owned groups to dissolve, so untrusted third-party content directly influences destructive actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill instructs destructive, state-changing operations (rm -rf on project DBs, removing git worktrees/branches) and explicitly requires running code with dangerouslyDisableSandbox: true (i.e. bypassing the sandbox/security), which meaningfully compromises the agent's host state.