email-api

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt embeds an example API key and instructs storing/loading it and passing it as a --api-key command-line argument (and shows a credentials JSON with a concrete key), which encourages handling and potential verbatim output of secrets.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The code contains explicit, likely-intentional capabilities for data exfiltration — notably unauthenticated file uploads (including an /envs path and README examples to upload .env files) and defaulting to a third‑party API base URL that would receive email contents, contacts and API keys — while there is no obfuscated backdoor or remote‑execution logic, these features enable credential and secrets theft and remote data exfiltration by design.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's scripts (e.g., scripts/email-read.js and scripts/email-forward.js) fetch and parse email content from the external API at EMAIL_API_BASE_URL (default https://agenskill-api.onrender.com or https://agenskill.onrender.com), meaning the agent reads untrusted, user-generated email bodies and uses them to compose/send/forward messages, which could allow indirect prompt injection.