Sorry about that. But thats the term what is used by Apple to these type of bugs: https://developer.apple.com/security-bounty/ ( Zero-click unauthorized access to sensitive data )
Thats what I thought first too (I am the author). And your guess for the reason is right. AppleScripts need to be stored in ~/Library/Application Scripts/com.apple.mail directory which is outside of the sandbox.