analyse-inboxmate

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly shows the InboxMate MCP can "scrape_and_build_knowledge" via Tavily (https://app.psquared.dev/api/mcp) and the Knowledge System uses RAG/searchKnowledge to return scraped page chunks with sourceUrl, meaning the agent ingests and acts on arbitrary third‑party web content that could contain instructions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill declares a runtime dependency on the InboxMate MCP JSON‑RPC endpoint (https://app.psquared.dev/api/mcp) which exposes operations like update_prompt and scrape_and_build_knowledge that can directly modify agent prompts/knowledge and thus control agent behavior.