Scan Report
0 /100
email-suite (imap+smtp)
Unified email CLI for reading (IMAP) and sending (SMTP) email with local caching, markdown-to-HTML conversion, and attachment management
Standard IMAP/SMTP email client with legitimate functionality; the flagged Buffer.from base64 decode is RFC 2047 MIME subject decoding (a false-positive IOC).
Safe to install
No action needed. The skill is a clean, documented email CLI. Optionally pin dependency versions in package.json for supply-chain hygiene.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | WRITE | ✓ Aligned | scripts/utils/imap.js:saveCachedMessages(), download() writes to .cache/ — decla… |
| Network | NONE | WRITE | ✓ Aligned | IMAP/SMTP connections to email providers — core functionality declared in SKILL.… |
| Shell | NONE | WRITE | ✓ Aligned | setup.sh uses npm install; mail.js is Node.js — standard tooling, no arbitrary c… |
| Environment | NONE | READ | ✓ Aligned | Reads IMAP/SMTP credentials from .env — required for declared email functionalit… |
| Clipboard | NONE | NONE | — | |
| Browser | NONE | NONE | — | |
| Database | NONE | NONE | — | |
| Skill Invoke | NONE | NONE | — |
1 Critical 11 findings
Critical Encoded Execution Base64 编码执行(代码混淆)
Buffer.from(text, 'base64' scripts/utils/format.js:44 Medium External URL 外部 URL
https://myaccount.google.com/apppasswords README.md:68 Medium External URL 外部 URL
https://nodejs.org/ setup.sh:23 Info Email 邮箱地址
[email protected] .env.example.txt:4 Info Email 邮箱地址
[email protected] .env.example.txt:24 Info Email 邮箱地址
[email protected] README.md:125 Info Email 邮箱地址
[email protected] README.md:164 Info Email 邮箱地址
[email protected] README.md:181 Info Email 邮箱地址
[email protected] README.md:200 Info Email 邮箱地址
[email protected] README.md:201 Info Email 邮箱地址
[email protected] SKILL.md:183 File Tree
13 files · 79.6 KB · 2618 lines JavaScript 7f · 1688L
Markdown 3f · 571L
Shell 1f · 300L
JSON 1f · 36L
Text 1f · 23L
├─
▾
scripts
│ ├─
▾
utils
│ │ ├─
args.js
JavaScript
│ │ ├─
env.js
JavaScript
│ │ ├─
format.js
JavaScript
│ │ ├─
imap.js
JavaScript
│ │ ├─
index.js
JavaScript
│ │ └─
smtp.js
JavaScript
│ └─
mail.js
JavaScript
├─
.env.example.txt
⚠
Text
├─
CHANGELOG.md
Markdown
├─
package.json
JSON
├─
README.md
Markdown
├─
setup.sh
Shell
└─
SKILL.md
Markdown
Dependencies 9 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
dotenv | ^16.6.1 | npm | No | Major version unpinned but widely used |
imap | ^0.8.19 | npm | No | Unmaintained but no security issues |
imap-simple | ^5.1.0 | npm | No | Wrapper around imap |
imapflow | ^1.2.10 | npm | No | Modern imap client |
mailparser | ^3.9.3 | npm | No | Standard email parsing |
nodemailer | ^7.0.13 | npm | No | Standard SMTP library |
marked | ^17.0.5 | npm | No | Markdown parser, version unpinned |
mime-types | ^3.0.2 | npm | No | Standard MIME type detection |
iconv-lite | ^0.7.2 | npm | No | Character encoding conversion |
Security Positives
✓ RFC 2047 MIME subject decoding (Buffer.from base64) is standard email handling, not obfuscation — the pre-scan flagged it as a false positive
✓ No arbitrary code execution; all shell usage is confined to npm install/setup
✓ No credential exfiltration; IMAP/SMTP credentials stay local and are used only for email operations
✓ No hidden functionality; SKILL.md and README.md accurately describe all features
✓ Local caching is scoped to .cache/ directory within the skill folder
✓ No suspicious network patterns (direct IPs, C2 communications, or unexpected outbound traffic)
✓ No sensitive path access (no ~/.ssh, ~/.aws, or environment variable enumeration)
✓ Attachments are downloaded only to user-specified or .cache/attachments/ paths
✓ All email commands are documented and traceable to specific source files