postmark-inbound
Use when processing incoming emails with Postmark inbound webhooks — building reply-by-email, email-to-ticket, document extraction, or any workflow that receives and parses email.
91
87%
Does it follow best practices?
Impact
96%
1.71xAverage score across 3 eval scenarios
Advisory
Suggest reviewing before use
Security
1 medium severity finding. This skill can be installed but you should review these findings before use.
W011: Third-party content exposure detected (indirect prompt injection risk)
What this means
The skill exposes the agent to untrusted, user-generated content from public third-party sources, creating a risk of indirect prompt injection. This includes browsing arbitrary URLs, reading social media posts or forum comments, and analyzing content from unknown websites.
Why it was flagged
Third-party content exposure detected (high risk: 0.90). The skill receives and processes untrusted, user-generated email content when "Postmark ... POST[s] parsed email data" to your webhook (SKILL.md "Receive JSON" and the Webhook Payload / references/payload-structure.md), and the workflow explicitly parses TextBody/StrippedTextReply, attachments, and MailboxHash to route, create tickets, run "command processing", and take follow-up actions—allowing third-party content to materially influence behavior.
- Repository
- ActiveCampaign/postmark-skills
- Commit
73ea6bf
- Audited
- Security analysis
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.