Critical Prompt Injection Vulnerability Exposed in Alive AI Automation Stack

A live prompt-injection vulnerability has been identified in the Alive AI automation stack, allowing untrusted user inputs to bypass all security controls and flow directly into the Claude model's context. The gap, tracked as issue #317, centers on the `promptOverride` parameter at `execute.ts:142`, which is passed to the agent without being processed by the `wrapExternalContent` security function. This means any user-supplied prompt override can inject arbitrary markers and instructions into the model's core prompt, completely sidestepping the established content-sanitization layer.

The vulnerability creates a direct attack surface where malicious inputs—from email bodies, webhook payloads, or user-submitted overrides—can hijack Claude's instructions. This could enable data exfiltration, unauthorized file operations, or the subversion of the agent's intended behavior. The core issue is an architectural mismatch: while the `@webalive/shared` library already exports robust security utilities like `wrapExternalContent()` and `buildSafeExternalPrompt()`, the current automation pipeline fails to call them, leaving a critical gap between external inputs and the model.

This flaw blocks every user-facing automation that accepts prompt overrides until patched, exposing a systemic risk in how untrusted content is handled. The fix requires integrating the existing, but unused, security wrappers into the execution flow, a change that underscores the persistent challenge of securing AI agent interfaces against prompt injection attacks.