chatroom

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill accepts and processes live, user-generated room content from the sc-chatroom server (e.g., fan-outed message history delivered to /chat/stream, GET /rooms/{room_id}/messages and GET /rooms/{room_id}/rules as shown in SKILL.md and scripts like join.py, status.py, room_rules.py and self_update.py), and that untrusted third-party content is explicitly read and used to decide whether/how the agent replies, so it clearly enables indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill fetches room rules at runtime from the sc-chatroom API (GET http://sc-chatroom.internal:8080/rooms/{room_id}/rules — via CHATROOM_SERVER_URL) and that remote text is injected into the agent's message prefix / LLM context and directly controls agent behavior, so this is a runtime external dependency that can control prompts.