mail139

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill connects to the public IMAP server imap.139.com and programmatically fetches and parses users' emails (mail139.py fetch and SKILL.md/README fetch commands), and the SKILL.md explicitly instructs the agent to parse and summarize fetched email JSON, meaning untrusted, user-generated email content is read and interpreted as part of the workflow and could influence subsequent outputs or actions.