pachca-bots

The described workflow presents a plausible data leakage risk via link-driven unfurling. It is not inherently malicious, but requires strong safeguards: explicit user consent, strict URL validation, minimal data exposure, least-privilege access for the unfurl bot, explicit allowlists, robust auditing/logging of previews, and clear governance over which domains can receive previews. Implement authentication for webhook/invocation, input/output sanitization, and rate limiting to reduce abuse potential.