中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:2 days ago Rescan
5 /100
email-suite
IMAP/SMTP email client with local caching for AI agents
This is a legitimate IMAP/SMTP email client with standard email protocol handling. The flagged base64 usage is false positive - it decodes RFC 2047 encoded email subjects, not obfuscated code.
Skill Nameemail-suite
Duration38.9s
Enginepi
Safe to install
No security concerns identified. The skill is safe to use as documented.

Findings 3 items

Severity Finding Location
Info
RFC 2047 Subject Decoding
Buffer.from(text, 'base64') at imap.js:147 is standard email subject decoding for encoded-word format (e.g., =?UTF-8?B?dGVzdA==?=). This is NOT code obfuscation.
return Buffer.from(text, 'base64').toString('utf-8');
→ No action needed - this is legitimate email protocol handling
 scripts/imap.js:147
Low
Custom IMAP Client ID
IMAP identification shows 'moltbot/netease/[email protected]' which differs from skill name 'email-suite'. Minor inconsistency but not malicious.
const IMAP_ID = { name: 'moltbot', vendor: 'netease', 'support-email': '[email protected]' }
→ Consider using consistent naming for transparency
 scripts/imap.js:13
Info
Dependencies Not Version-Pinned
package.json uses caret ranges (^16.6.1) instead of exact versions. Creates potential supply chain risk if packages are compromised.
"dotenv": "^16.6.1"
→ Pin exact versions for reproducible builds and security
 package.json:1
ResourceDeclaredInferredStatusEvidence
Filesystem READ WRITE ✓ Aligned SKILL.md documents cache and attachment storage
Network READ WRITE ✓ Aligned Connects to configured IMAP/SMTP servers only
Environment READ READ ✓ Aligned Reads .env for email credentials only
1 Critical 10 findings
🔒
Critical Encoded Execution Base64 编码执行(代码混淆)
Buffer.from(text, 'base64'
scripts/imap.js:147
🔗
Medium External URL 外部 URL
https://myaccount.google.com/apppasswords
README.md:190
📧
Info Email 邮箱地址
[email protected]
README.md:101
📧
Info Email 邮箱地址
[email protected]
README.md:145
📧
Info Email 邮箱地址
[email protected]
README.md:162
📧
Info Email 邮箱地址
[email protected]
README.md:181
📧
Info Email 邮箱地址
[email protected]
README.md:182
📧
Info Email 邮箱地址
[email protected]
SKILL.md:38
📧
Info Email 邮箱地址
[email protected]
SKILL.md:199
📧
Info Email 邮箱地址
[email protected]
scripts/imap.js:19

File Tree

8 files · 61.3 KB · 2112 lines
JavaScript 2f · 1387L Markdown 3f · 491L Shell 1f · 170L JSON 1f · 36L Text 1f · 28L
├─ 📁 scripts
│ ├─ 📜 imap.js JavaScript 960L · 28.8 KB
│ └─ 📜 smtp.js JavaScript 427L · 11.9 KB
├─ 📝 CHANGELOG.md Markdown 30L · 1.3 KB
├─ 📄 env.txt Text 28L · 804 B
├─ 📋 package.json JSON 36L · 895 B
├─ 📝 README.md Markdown 216L · 6.7 KB
├─ 🔧 setup.sh Shell 170L · 4.3 KB
└─ 📝 SKILL.md Markdown 245L · 6.6 KB

Dependencies 4 items

PackageVersionSourceKnown VulnsNotes
imapflow ^1.2.10 npm No Standard IMAP client library
nodemailer ^7.0.13 npm No Standard SMTP library
mailparser ^3.9.3 npm No Standard email parsing
dotenv ^16.6.1 npm No Version not pinned

Security Positives

✓ No data exfiltration or unauthorized network connections detected
✓ Credentials are stored locally in .env only (not committed to repo)
✓ No access to sensitive paths (~/.ssh, ~/.aws, etc.)
✓ No reverse shells, C2, or remote code execution patterns
✓ Documentation includes security warnings about credential protection
✓ Uses standard, well-known email libraries (imapflow, nodemailer)
✓ Proper TLS configuration with certificate verification
✓ Local caching is sandboxed to .cache/ directory