Lightweight email manager with IMAP/SMTP support, advanced search, folder management, and attachment detection. Works with Zoho, Gmail, Outlook, and any IMAP/SMTP provider.
Security Analysis
medium confidenceThe skill appears to implement the stated email features, but there are configuration/metadata inconsistencies and a TLS setting that reduces security — review before use.
The skill's name/description match the code (IMAP/SMTP operations, search, move, attachments). However, registry metadata declares no required environment variables or primary credential, while the runtime instructions and code clearly require EMAIL_USER and EMAIL_PASS. That metadata mismatch is incoherent and could mislead users about what secrets are needed.
SKILL.md and README scope align with email functionality and the included CLI script; they instruct to run npm install and set EMAIL_USER/EMAIL_PASS. However, SKILL.md contains contradictory statements (claims 'zero external dependencies' yet lists npm dependencies), and the runtime code sets imapConfig.tlsOptions.rejectUnauthorized = false which disables certificate verification — a security-reducing behavior not documented or justified in the docs.
There is no install spec in registry (instruction-only), but package.json and SKILL.md instruct users to run 'npm install' to fetch standard packages (nodemailer, imap-simple, mailparser). These dependencies are appropriate for the stated purpose; installing via npm is expected but does pull third-party packages, so users should run 'npm audit' and inspect dependency tree.
The code legitimately needs two environment variables (EMAIL_USER and EMAIL_PASS) to talk to IMAP/SMTP. That credential request is proportionate to the purpose. The problem is the skill manifest/registry metadata does not declare these required env vars or a primary credential, which is misleading. Also the skill recommends app passwords (good), but the code uses process.env directly and exits if credentials are missing.
The skill does not request permanent/always-on inclusion and does not alter other skills or system-wide configs. It runs as a CLI-style script and requires explicit invocation; autonomous invocation is allowed by default on the platform but is not combined with other high privileges here.
Guidance
What to check before installing/use: - Metadata mismatch: the registry lists no required env vars but the tool needs EMAIL_USER and EMAIL_PASS. Treat this as a red flag and prefer skills whose manifest accurately lists required credentials. - TLS/mitm risk: the code disables certificate validation (tlsOptions.rejectUnauthorized = false) for IMAP. Edit scripts/email.js to remove or set this to true, and only use the skill with trusted networks until fixed. - Credentials: use provider 'App Passwords' as recommended (not your main account password). Consider using short-lived credentials or tokens where possible. - Dependency hygiene: the package uses common email libs (nodemailer, imap-simple, mailparser). Run 'npm install' in an isolated environment, run 'npm audit', and inspect installed packages before running. - Source trust: owner and homepage are unknown. If you don't trust the author, review the full scripts/email.js source (it is included) or run in a sandboxed container. If the author updates the registry metadata to declare EMAIL_USER/EMAIL_PASS and either removes or documents why rejectUnauthorized was disabled, and you or a reviewer confirm dependencies, this would raise confidence.
Latest Release
v1.0.1
email-manager-lite v1.0.1 - Added comprehensive README.md with detailed usage, configuration, and provider setup instructions. - Added CHANGELOG.md to document future updates and changes. - No code changes—documentation files only.
More by @jorgermp
Published by @jorgermp on ClawHub
