Security audit
Security checks across malware telemetry and agentic risk
Overview
The plugin's code, README, and SKILL.md consistently implement an IMAP/SMTP email tool that expects mailbox credentials in its plugin config; nothing requested or instructed is disproportionate to that purpose.
This plugin appears to do exactly what it says: act as an IMAP/SMTP mailbox client. Before installing, (1) plan how you will provide IMAP/SMTP credentials — use an app-specific password or least-privilege account, not your primary account password; (2) keep requireExplicitSendConfirmation=true so the agent cannot send emails without you explicitly approving each send; (3) be aware that attachments are passed as filesystem paths and the plugin will read those files to include them in outbound emails (so do not allow the plugin to attach sensitive local files unless intentional); and (4) if you rely on third-party npm packages in environments handling highly sensitive mail, review their versions and supply-chain provenance.
VirusTotal
No VirusTotal findings
Static analysis
No suspicious patterns detected.
