slack-channel-monitor

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.95). The runtime cron script polls Slack via conversations.history, search.messages, and conversations.replies, ingesting outsider-authored Slack message text (including thread replies) into the LLM context when it builds initial_prompt/forwarded reply text for create_conversation/send_to_conversation.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The script makes runtime HTTP requests to the agent server (e.g. AGENT_SERVER_URL + "/api/settings" and "/api/conversations") and uses the returned agent settings and secrets to build/seed spawned conversations (directly influencing agent behavior), so the external AGENT_SERVER_URL endpoints are a required runtime dependency that can control prompts.