worklog

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's workflow and extract.py explicitly read and ingest local chat/session logs and message sources (SKILL.md Step 1: "Hermes 会话" mentioning Telegram/WebUI/飞书 and the extract.py reading Qwen logs in ~/.qwen/tmp and OpenCode DB ~/.local/share/opencode/opencode.db), which are untrusted/user-generated third‑party messages that the agent parses and uses to classify events and generate/send reports—so external content can materially influence decisions and actions.