agent-mail

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.90). Most URLs are local loopback endpoints (127.0.0.1) used for health/API and are not downloads, but the raw.githubusercontent.com links point to an install.sh in a personal/unverified GitHub repo and are recommended to be fetched/pipe-executed—directly downloading and running an unvetted shell install script from a personal account is a high-risk malware vector.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.75). Outsider free text can enter the LLM context via fetch_inbox / resource://inbox/{agent}?project=...&include_bodies=true and resource://thread/{thread_id}?project=...&include_bodies=true, because those surfaces return message bodies authored by other agents (non-operating-user) and the skill doctrine explicitly supports including bodies.