inbox-triage

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md explicitly instructs the agent to list and read unread emails via third‑party inbox access (e.g., "Prerequisites" Option A: Gmail via gmailctl or Option B: IMAP via himalaya and the note "This skill reads emails"), so arbitrary external/user-generated email content is ingested and used to triage, draft replies, and make archive/alert decisions, allowing untrusted content to influence actions.