spectrum

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests untrusted, user-generated incoming messages via app.messages (see getting-started.md and messages.md) and also scrapes arbitrary URLs for richlink Open Graph metadata at send time (content.md), both of which the agent reads and can use to drive replies/actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The terminal provider auto-downloads and spawns the tuichat binary from GitHub Releases at runtime (see https://github.com/photon-hq/tuichat), which fetches and executes remote code as a required dependency — this meets the criteria for a runtime-executed external dependency.