action-creator

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill clearly ingests untrusted third-party content (user emails) via context.emailAPI (e.g., templates/forward-bug-report.ts uses context.emailAPI.getEmailById and passes email.body into context.callAgent, and templates/archive-old-newsletters.ts uses searchWithGmailQuery to find and act on emails), and that email content is parsed and fed into AI and action handlers that materially drive sending, labeling, and other operations—exposing the agent to indirect prompt injection risk.