messaging

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill accepts incoming messages from public IM channels (e.g., Telegram and webhook endpoints) which are routed into project terminals and injected into sessions as $AITER_REPLY_CONTEXT for the AI CLI to read and act on (see "How routing works" and "IM-Triggered Session Pattern"), exposing the agent to untrusted third-party user content that could supply instructions.