NadMail

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's required scripts (e.g., scripts/inbox.js) call the public API at https://api.nadmail.ai (/api/inbox and /api/inbox/:id) to fetch and display email bodies and subjects (user-generated/untrusted content) as part of the documented workflow, which the agent reads and could materially influence subsequent actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly integrates blockchain wallets and private-key handling (NADMAIL_PRIVATE_KEY, managed encrypted wallet, mnemonic options) and describes signing flows (SIWE, wallet.signMessage). It also states it "can trigger on‑chain transactions (micro-buys / emo-buy)" and exposes a spending cap env var (NADMAIL_EMO_DAILY_CAP) and confirmation flags (--yes) for emo-buy. These are specific crypto/transaction capabilities (wallet signing and on‑chain buys), which constitute direct financial execution.