扫描报告
0 /100
email-suite (imap+smtp)
Unified email CLI for reading (IMAP) and sending (SMTP) email with local caching, markdown-to-HTML conversion, and attachment management
Standard IMAP/SMTP email client with legitimate functionality; the flagged Buffer.from base64 decode is RFC 2047 MIME subject decoding (a false-positive IOC).
可以安装
No action needed. The skill is a clean, documented email CLI. Optionally pin dependency versions in package.json for supply-chain hygiene.
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | NONE | WRITE | ✓ 一致 | scripts/utils/imap.js:saveCachedMessages(), download() writes to .cache/ — decla… |
| 网络访问 | NONE | WRITE | ✓ 一致 | IMAP/SMTP connections to email providers — core functionality declared in SKILL.… |
| 命令执行 | NONE | WRITE | ✓ 一致 | setup.sh uses npm install; mail.js is Node.js — standard tooling, no arbitrary c… |
| 环境变量 | NONE | READ | ✓ 一致 | Reads IMAP/SMTP credentials from .env — required for declared email functionalit… |
| 剪贴板 | NONE | NONE | — | |
| 浏览器 | NONE | NONE | — | |
| 数据库 | NONE | NONE | — | |
| 技能调用 | NONE | NONE | — |
1 严重 11 项发现
严重 编码执行 Base64 编码执行(代码混淆)
Buffer.from(text, 'base64' scripts/utils/format.js:44 中危 外部 URL 外部 URL
https://myaccount.google.com/apppasswords README.md:68 中危 外部 URL 外部 URL
https://nodejs.org/ setup.sh:23 提示 邮箱 邮箱地址
[email protected] .env.example.txt:4 提示 邮箱 邮箱地址
[email protected] .env.example.txt:24 提示 邮箱 邮箱地址
[email protected] README.md:125 提示 邮箱 邮箱地址
[email protected] README.md:164 提示 邮箱 邮箱地址
[email protected] README.md:181 提示 邮箱 邮箱地址
[email protected] README.md:200 提示 邮箱 邮箱地址
[email protected] README.md:201 提示 邮箱 邮箱地址
[email protected] SKILL.md:183 目录结构
13 文件 · 79.6 KB · 2618 行 JavaScript 7f · 1688L
Markdown 3f · 571L
Shell 1f · 300L
JSON 1f · 36L
Text 1f · 23L
├─
▾
scripts
│ ├─
▾
utils
│ │ ├─
args.js
JavaScript
│ │ ├─
env.js
JavaScript
│ │ ├─
format.js
JavaScript
│ │ ├─
imap.js
JavaScript
│ │ ├─
index.js
JavaScript
│ │ └─
smtp.js
JavaScript
│ └─
mail.js
JavaScript
├─
.env.example.txt
⚠
Text
├─
CHANGELOG.md
Markdown
├─
package.json
JSON
├─
README.md
Markdown
├─
setup.sh
Shell
└─
SKILL.md
Markdown
依赖分析 9 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
dotenv | ^16.6.1 | npm | 否 | Major version unpinned but widely used |
imap | ^0.8.19 | npm | 否 | Unmaintained but no security issues |
imap-simple | ^5.1.0 | npm | 否 | Wrapper around imap |
imapflow | ^1.2.10 | npm | 否 | Modern imap client |
mailparser | ^3.9.3 | npm | 否 | Standard email parsing |
nodemailer | ^7.0.13 | npm | 否 | Standard SMTP library |
marked | ^17.0.5 | npm | 否 | Markdown parser, version unpinned |
mime-types | ^3.0.2 | npm | 否 | Standard MIME type detection |
iconv-lite | ^0.7.2 | npm | 否 | Character encoding conversion |
安全亮点
✓ RFC 2047 MIME subject decoding (Buffer.from base64) is standard email handling, not obfuscation — the pre-scan flagged it as a false positive
✓ No arbitrary code execution; all shell usage is confined to npm install/setup
✓ No credential exfiltration; IMAP/SMTP credentials stay local and are used only for email operations
✓ No hidden functionality; SKILL.md and README.md accurately describe all features
✓ Local caching is scoped to .cache/ directory within the skill folder
✓ No suspicious network patterns (direct IPs, C2 communications, or unexpected outbound traffic)
✓ No sensitive path access (no ~/.ssh, ~/.aws, or environment variable enumeration)
✓ Attachments are downloaded only to user-specified or .cache/attachments/ paths
✓ All email commands are documented and traceable to specific source files