email-manager

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's runtime actively connects to IMAP servers and fetches user emails (see scripts/email_client.py fetch_unread and connect_imap, and scripts/check_email.py which ingests email bodies and saves them to cache/emails.json), then uses that untrusted, third‑party email content to generate summaries and reply drafts (scripts/reply_draft.py) and can trigger sending (scripts/send_email.py), so external email content can materially influence the agent's decisions and actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill connects at runtime to external IMAP/SMTP endpoints (e.g., imap.gmail.com, imap.qq.com, outlook.office365.com) and fetches email content that is injected into the AI summarization/reply generation flow, so remote content can directly influence the agent's prompts/output.