gmail

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly reads and acts on user emails (untrusted third‑party content) as part of its workflow — see SKILL.md commands like "./run.sh list", "./run.sh classify" and "./run.sh ai-reply" which require the agent to fetch and interpret mailbox messages and then label, archive, spam, or send replies based on that content.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's installer (bash ~/.claude/skills/gmail/scripts/install.sh) performs a runtime git clone from https://github.com/wayfind/gmail-agent.git and then downloads/releases a remote binary from GitHub (https://github.com/wayfind/gmail-agent/releases/...), which fetches and installs remote executable code that will be run — i.e., remote content executed at runtime.