workroom

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill ingests untrusted, user-generated chatroom content that the agent uses to drive behavior — e.g., scripts/read.py calls GET /rooms/{room_id}/messages and scripts/room_rules.py / install_soul/SOUL.md instruct the agent to fetch GET /rooms/{room_id}/rules (and the SKILL.md states the thread history is the agent's memory), so external room messages and owner rules are read and can directly influence replies/actions.