Problem
The component bridge forwards messages from any bot except the runtime's own bot.
Evidence:
ops/component-bridge.mjs:168-172 returns true for any bot message with extractable text, excluding only selfBotIdops/component-bridge.mjs:203-214 sends extracted content to agent --message ... --deliver
Impact
Any other bot in the watched channel can become a prompt-injection source into the runtime agent. This is especially risky with component-only messages, because those are exactly the bridge's target path.
Suggested fix
- Add
COMPONENT_BRIDGE_ALLOWED_BOT_IDS and require the author ID to be present
- Keep self-bot exclusion
- Consider accepting only component-only messages, not arbitrary bot text
- Add max extracted text length before forwarding
- Avoid verbose logging of full untrusted extracted text
Validation
- A message from an unlisted bot should be marked seen but not forwarded
- A message from an allowed bot should still be delivered
Problem
The component bridge forwards messages from any bot except the runtime's own bot.
Evidence:
ops/component-bridge.mjs:168-172returns true for any bot message with extractable text, excluding onlyselfBotIdops/component-bridge.mjs:203-214sends extracted content toagent --message ... --deliverImpact
Any other bot in the watched channel can become a prompt-injection source into the runtime agent. This is especially risky with component-only messages, because those are exactly the bridge's target path.
Suggested fix
COMPONENT_BRIDGE_ALLOWED_BOT_IDSand require the author ID to be presentValidation