email-manager

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill directly fetches and parses external, user-generated email content from IMAP servers (see scripts/email_client.py and scripts/check_email.py, with examples in cache/emails.json and cache/last_summary.txt), and that untrusted content is used to generate summaries, flag importance, create reply drafts, and drive sending decisions—so it can materially influence agent actions and enable indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill connects at runtime to external IMAP/SMTP endpoints (e.g., imap.gmail.com / smtp.gmail.com and imap.qq.com / smtp.qq.com) to fetch email bodies which are directly injected into the AI summary/reply generation, so external content can control prompts (prompt‑injection risk) and the skill depends on those endpoints to function.