add-gmail-tool

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill wires a Gmail MCP tool that lets the agent call gmail.googleapis.com and read/search user emails (see the tools list and Phase 5 "In your chat, send: 'list my gmail labels' / 'search my inbox...'"), so the agent will ingest untrusted, user-generated email content that could contain instructions influencing its actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill installs and runs the external MCP server @gongrzhe/server-gmail-autoauth-mcp (https://www.npmjs.com/package/@gongrzhe/server-gmail-autoauth-mcp), which is fetched into the image and executed at runtime as the gmail-mcp process that the agent depends on, so external code is executed during skill runtime.