agent-email-patterns

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly ingests inbound emails from external senders (e.g., Pattern 2: "Agent reads the reply" using msg.extracted_text or msg.text in SKILL.md, and Topology 1 which forwards messages received via WebSockets/webhooks), meaning untrusted, user-generated email content is read and fed to LLMs and can influence routing and agent actions.