1. Atlas Webhook Plugin Flaw: Missing Rate Limits Risk Unbounded LLM and Sandbox Costs After Secret Leak
A critical architectural weakness in the Atlas webhook plugin leaves the system exposed to unbounded agent invocations if a channel secret is compromised. The `POST /webhook/:channelId` endpoint — found in `plugins/webhook/src/routes.ts:115-236` — executes queries synchronously upon successful authentication, triggerin...