agentmail

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests and reads incoming, potentially user-generated emails from external senders (via list_threads/get_thread and the "Check incoming email" and "Sign up for a service" procedures in SKILL.md), so untrusted third-party content can be interpreted by the agent and influence its actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill requires running an external MCP package at runtime via "npx -y agentmail-mcp" (repo referenced at https://github.com/agentmail-to/agentmail-mcp), which fetches and executes remote code and is a required dependency for the AgentMail tools.