lessie-email

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md explicitly instructs the agent to call get_thread_messages and get_email_detail to read email/thread content (including messages from external senders via Gmail/Outlook), which are untrusted, user-generated third‑party content the agent must interpret to decide replies and follow-up actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's MCP setup runs "npx -y @lessie/mcp-server" (fetching and executing remote npm code at runtime) and points to the runtime endpoint https://app.lessie.ai/email-api/mcp-public/mcp, so it clearly fetches/executes remote code during runtime.