listener-creator

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill ingests arbitrary incoming email content (subject/body/from) — as shown in SKILL.md and templates like templates/ai-classifier.ts and templates/urgent-watcher.ts — and passes that untrusted, user-generated text into context.callAgent prompts whose outputs directly determine actions (archive, notify, star), creating a clear vector for indirect prompt injection.