email-suite 安全扫描报告 — 可信 | ClawSafe

5 /100

email-suite

IMAP/SMTP email client with local caching for AI agents

This is a legitimate IMAP/SMTP email client with standard email protocol handling. The flagged base64 usage is false positive - it decodes RFC 2047 encoded email subjects, not obfuscated code.

技能名称email-suite

分析耗时38.9s

引擎pi

✓

可以安装

No security concerns identified. The skill is safe to use as documented.

安全发现 3 项

严重性	安全发现	位置
提示	RFC 2047 Subject Decoding Buffer.from(text, 'base64') at imap.js:147 is standard email subject decoding for encoded-word format (e.g., =?UTF-8?B?dGVzdA==?=). This is NOT code obfuscation. `return Buffer.from(text, 'base64').toString('utf-8');` → No action needed - this is legitimate email protocol handling	`scripts/imap.js:147`
低危	Custom IMAP Client ID IMAP identification shows 'moltbot/netease/[email protected]' which differs from skill name 'email-suite'. Minor inconsistency but not malicious. `const IMAP_ID = { name: 'moltbot', vendor: 'netease', 'support-email': '[email protected]' }` → Consider using consistent naming for transparency	`scripts/imap.js:13`
提示	Dependencies Not Version-Pinned package.json uses caret ranges (^16.6.1) instead of exact versions. Creates potential supply chain risk if packages are compromised. `"dotenv": "^16.6.1"` → Pin exact versions for reproducible builds and security	`package.json:1`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`WRITE`	✓ 一致	SKILL.md documents cache and attachment storage
网络访问	`READ`	`WRITE`	✓ 一致	Connects to configured IMAP/SMTP servers only
环境变量	`READ`	`READ`	✓ 一致	Reads .env for email credentials only

1 严重 10 项发现

🔒

严重编码执行 Base64 编码执行（代码混淆）

Buffer.from(text, 'base64'

scripts/imap.js:147

🔗

中危外部 URL 外部 URL

https://myaccount.google.com/apppasswords

README.md:190

📧

提示邮箱邮箱地址

[email protected]

README.md:101

📧

提示邮箱邮箱地址

[email protected]

README.md:145

📧

提示邮箱邮箱地址

[email protected]

README.md:162

📧

提示邮箱邮箱地址

[email protected]

README.md:181

📧

提示邮箱邮箱地址

[email protected]

README.md:182

📧

提示邮箱邮箱地址

[email protected]

SKILL.md:38

📧

提示邮箱邮箱地址

[email protected]

SKILL.md:199

📧

提示邮箱邮箱地址

[email protected]

scripts/imap.js:19

目录结构

8 文件 · 61.3 KB · 2112 行

JavaScript 2f · 1387L Markdown 3f · 491L Shell 1f · 170L JSON 1f · 36L Text 1f · 28L

├─ ▾ 📁 scripts

│ ├─ 📜 imap.js JavaScript 960L · 28.8 KB

│ └─ 📜 smtp.js JavaScript 427L · 11.9 KB

├─ 📝 CHANGELOG.md Markdown 30L · 1.3 KB

├─ 📄 env.txt Text 28L · 804 B

├─ 📋 package.json JSON 36L · 895 B

├─ 📝 README.md Markdown 216L · 6.7 KB

├─ 🔧 setup.sh Shell 170L · 4.3 KB

└─ 📝 SKILL.md Markdown 245L · 6.6 KB

依赖分析 4 项

包名	版本	来源	已知漏洞	备注
`imapflow`	`^1.2.10`	npm	否	Standard IMAP client library
`nodemailer`	`^7.0.13`	npm	否	Standard SMTP library
`mailparser`	`^3.9.3`	npm	否	Standard email parsing
`dotenv`	`^16.6.1`	npm	否	Version not pinned

安全亮点

✓ No data exfiltration or unauthorized network connections detected

✓ Credentials are stored locally in .env only (not committed to repo)

✓ No access to sensitive paths (~/.ssh, ~/.aws, etc.)

✓ No reverse shells, C2, or remote code execution patterns

✓ Documentation includes security warnings about credential protection

✓ Uses standard, well-known email libraries (imapflow, nodemailer)

✓ Proper TLS configuration with certificate verification

✓ Local caching is sandboxed to .cache/ directory