instantly-autoreply

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly fetches user-generated email content from the Instantly webhook/API (see get_conversation_history in scripts/instantly_autoreply.py) and reads campaign rows from a Google Sheets knowledge base, then directly injects that untrusted text (incoming_email, conversation_history, and KB text) into the Claude prompt in generate_reply — meaning third‑party content can influence model instructions and downstream actions (sending replies).

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill fetches campaign context at runtime from the Google Sheet (https://docs.google.com/spreadsheets/d/1QS7MYDm6RUTzzTWoMfX-0G9NzT5EoE2KiCE7iR1DBLM) via the Sheets API and injects the retrieved "knowledge_base" text directly into the Claude prompt, so that external content controls the model's instructions.