slack-to-gcal

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's SKILL.md explicitly asks for a Slack message link (Step 1) and then runs a script (Step 2) that uses Slack API scopes like reactions:read and users:read.email to fetch reactors and user info from Slack — untrusted, user-generated third-party content that the tool ingests and uses to decide whom to invite, so it could be manipulated to influence actions.