email

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's SKILL.md explicitly instructs the agent to list and read inbox messages via endpoints like https://stableemail.dev/api/inbox/messages and /messages/read, returning full email text/html/attachments (untrusted, user-generated emails) which the agent is expected to process (e.g., "delete messages when processed"), so third-party message content could materially influence actions and enable indirect prompt injection.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly includes API endpoints that execute paid actions (buy inbox, buy subdomain, top up inbox, send-from-subdomain/inbox with per-email charges) with listed prices, and instructs use of a payment-capable client (npx agentcash@latest fetch) and SIWX wallet authentication. It also mentions on-chain USDC refunds. These are concrete payment/crypto wallet operations (creating purchases and top-ups), not generic HTTP or browser automation, so the skill enables direct financial execution.