Email Intelligence Assistant

The code and SKILL.md implement the advertised IMAP → classification → reply → Feishu push flow, but the registry metadata omits required credentials and the runtime code contacts a third‑party validation endpoint and contains several inconsistencies/bugs — proceed with caution.

This package largely does what it says (read IMAP mail, classify, propose replies, push to Feishu), but there are several red flags you should address before using it with real credentials: - Credentials mismatch: The registry claims no required env vars, but you must provide IMAP credentials (use an app-specific password), an AI API key (OpenAI-compatible or self-hosted endpoint), and Feishu webhook or app token. Treat these as sensitive. - Third-party verification: The script will attempt to validate certain API keys by POSTing them (Bearer) to https://geo-api.yk-global.com/validate if the key has a recognized prefix — that will disclose the key to that service. If you do not trust that site, do not provide keys with those prefixes. - Code inconsistencies/bugs: check_emails.py calls functions that are not present (e.g., reply_gen.generate and pusher.push_summary). That means the package may crash or behave unpredictably without fixes. Do not run in production until these are fixed. - Local persistence: The skill creates a cache directory in your home. Review its contents and remove it if you uninstall. - Safe deployment recommendations: test in an isolated environment (VM or container) first; inspect and/or run the code locally line-by-line; do not supply your primary email password (use app passwords); avoid supplying OpenAI or other API keys you cannot revoke; review config.yaml.example and remove/replace any telemetry/licensing endpoints you don’t accept. If you want to proceed only for evaluation, run with dummy IMAP/Feishu values and without a real API key to avoid disclosing secrets and to reproduce runtime errors safely. If you expect to use this in production, request an updated package from the author that: (1) declares required credentials in metadata, (2) removes or documents third‑party verification and its privacy implications, and (3) fixes the API naming bugs so functions called actually exist.