The customInstructions field in the LLM personality config (via /api/config-update) flows directly into the system prompt without sanitization. An attacker with config-write access could inject a prompt that exfiltrates task details or modifies agent behavior.
Severity: High
Fix: Treat customInstructions as untrusted input — escape or restrict what can be injected into the system prompt.
The customInstructions field in the LLM personality config (via /api/config-update) flows directly into the system prompt without sanitization. An attacker with config-write access could inject a prompt that exfiltrates task details or modifies agent behavior.
Severity: High
Fix: Treat customInstructions as untrusted input — escape or restrict what can be injected into the system prompt.