email-triage

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's SKILL.md explicitly "fetches recent emails" and runs the digest script (./plugins/gmail-commander/scripts/digest.ts) using the gmail-cli binary to triage email content with Haiku, so it ingests untrusted third-party email/messages which the agent reads and uses to decide/send notifications—allowing maliciously crafted email content to influence actions.