email

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill’s SKILL.md shows runtime calls to the public stableemail.dev API (e.g., /api/inbox/messages and /api/inbox/messages/read) and instructs the agent to list and read inbox messages, which are untrusted, user-generated third-party email content that could contain instructions influencing subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill explicitly requires running "npx agentcash@latest fetch" at runtime, which fetches and executes remote npm package code (agentcash) to interact with https://stableemail.dev, so the npx/agentcash runtime dependency can execute remote code and is therefore a risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill exposes explicit purchase/payment endpoints (e.g., /api/inbox/buy, /api/subdomain/buy, /api/inbox/topup) with listed prices and workflow steps to buy/top-up services. It requires wallet setup, uses SIWX wallet authentication and the npx agentcash@latest fetch tool, and even mentions on-chain USDC refunds — all indicating the skill performs on-chain or wallet-backed payment transactions. These are specific financial operations (sending payments/topping up and managing paid resources), not generic HTTP or automation capabilities.