agent-email

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt explicitly allows passing a secret via a command-line flag (--token ), which can force the agent to include the secret verbatim in generated commands/outputs (an exfiltration risk), even though it also mentions the safer AGNIC_TOKEN env var option.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly includes commands like npx agnic@latest email inbox and email reply showing the agent fetches and reads arbitrary, user-generated email messages from third-party senders (the inbox) which the agent could interpret and act on, enabling indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill invokes "npx agnic@latest" commands at runtime (fetching and running the remote npm package code), which means it relies on and executes external code fetched at runtime (npx agnic@latest), creating a high-risk runtime external dependency.