inbox-triage

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly requires a Gmail connector and its SKILL.md instructs the agent to scan the user's sent/received messages, read unread emails and attachments, and draft replies based on that content (e.g., "Scan the user's last 50 sent emails", "For each unread email... draft a response", "read the last 3–5 messages" and "pull in and read attachments"), which means it ingests untrusted, third-party email content that can materially influence actions and decisions.