outbound

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill autonomously fetches and reads incoming, user-generated emails (see classify-replies SKILL.md step "Read the reply content..." and the list_received_emails / find_reply_threads tools in references/tools-reference.md) and uses their contents to decide tags and follow-up/send/remove actions, so untrusted third-party content can materially change agent behavior.