mail-skill

What to consider before installing and using this skill: - Credentials: This skill needs your email address and password/app-specific password (IMAP/SMTP). Prefer creating and using an app-specific password or a dedicated mailbox account rather than your primary account. Do not paste credentials into a public place. - Local storage: The skill saves full raw emails (.eml), JSON, and attachments under mail_data (per-account directories). Ensure you are comfortable with those files residing on disk, and that the agent process has only the filesystem/network access you intend. - Registry metadata mismatch: The registry entry shows no required env vars, but the code and example.env clearly expect MAIL_ACCOUNT_* settings. Treat this as a transparency problem — the skill will read .env or environment variables to obtain credentials. - Agent permissions: The agent (or platform) may be able to read saved attachments and email text and could transmit them if given network/file permissions. Limit the agent's outbound/network permissions and consider running the skill in an isolated environment if you are concerned. - Code review: The provided Python code appears to use only IMAP/SMTP and local I/O (no external webhooks or remote upload). If you have the capability, review or run the code in a sandboxed environment first to confirm behavior. Pay attention to any logging or debug prints that might leak info. - Operational hygiene: Rotate credentials if you stop using the skill, restrict mailbox settings (enable app passwords, disable less-secure access), and securely delete mail_data when needed. If you need higher assurance, ask the skill publisher to update registry metadata to declare required env vars and clearly document storage paths, or run the skill against a throwaway mailbox first.