[HIGH] **Prompt injection via unescaped channel/user in lightweight routines** — `bui

[ironclaw-ci]

[HIGH:75] Issue Found by Staging CI Review

Severity: HIGH
Confidence: 75/100
PR comment: #1359 (comment)

Description

Prompt injection via unescaped channel/user in lightweight routines — build_lightweight_prompt() directly interpolates notify.channel and notify.user values into LLM prompt via format!() without escaping. Backticks provide no security boundary. Attacker controlling routine config could inject arbitrary prompt instructions.

---

Auto-created by staging-ci Claude Code review

[henrypark133]

Triage verdict: FALSE POSITIVE

The notify.channel and notify.user values in build_lightweight_prompt() come from NotifyConfig, which is user-configured routine data persisted by the routine owner. These are trusted configuration values, not untrusted external input. The user is interpolating values from their own routine config into their own routine's prompt — this is not a prompt injection vector.