m26-resend-email

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests and acts on user-generated third-party content — e.g., reading Google Sheets rows for send selection (send_campaign.py / references/operational-rules.md), syncing inbox replies via sync_replies_gmail.py, and processing Resend webhooks (webhook_server.py) — which the agent must read/interpret and which can materially change send/follow-up behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly instructs runtime cloning of a remote GitHub repo (gh repo clone OWNER/m26pipeline m26pipeline-email-checkout -- --filter=blob:none --sparse) to obtain the scripts that are pip-installed and executed (python send_campaign.py), so that repository URL is a runtime external dependency that can deliver and execute remote code.