## Critical Prompt Injection Vulnerability: Untrusted Email Content Directly Passed to Claude API
A critical security flaw exposes multiple core services of an email automation system to prompt injection attacks. The vulnerability stems from a fundamental design failure: attacker-controlled email content—including the body, subject, and sender fields—is passed directly into prompts for the Claude API without any data isolation or sanitization. This allows a malicious actor sending a simple cold email to manipulate the system's core decision-making logic, influencing triage, drafting, and archiving functions.

The risk is distributed across several key services, each with a distinct attack surface. In `email-analyzer.ts`, an attacker can directly control the `needs_reply` and `priority` classifications by injecting instructions into the email body. The `draft-generator.ts` service, responsible for generating reply and forward text, is similarly vulnerable, allowing an attacker to influence the content of automated responses. The `archive-ready-analyzer.ts` and `calendaring-agent.ts` services also pass raw email content into their analysis functions, enabling manipulation of auto-archive decisions and scheduling detection.

This vulnerability creates a direct path for external actors to subvert automated workflows. The system's integrity is compromised at the point of ingestion, where untrusted input is treated as executable instruction. Notably, the `draft-edit-learner.ts` and `analysis-edit-learner.ts` services demonstrate a safer pattern by using XML tag wrapping and explicit instructions to treat content as opaque data, highlighting that the critical flaw in other services is a preventable implementation oversight. The absence of these basic guardrails in core components represents a systemic security failure.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: Prompt Injection, AI Security, Vulnerability, Email Automation, Claude API
- **Credibility**: unverified
- **Published**: 2026-04-03 00:27:00
- **ID**: 48180
- **URL**: https://whisperx.ai/en/intel/48180