IMAP/SMTP Email (Plus)

This package appears to implement a normal IMAP/SMTP email client, but there are red flags you should consider before installing or entering credentials: - Credential mismatch: The registry metadata declares no required environment variables, yet the tool requires IMAP_USER/IMAP_PASS and SMTP_USER/SMTP_PASS (sensitive credentials). Treat this as suspicious: verify the author and provenance before supplying credentials. - Origin/provenance: package.json and README mention 'NetEase' while the registry owner and _meta.json differ—this could be repackaged code. Prefer code from a known/trusted source. - Install behavior: You must run 'npm install' locally; dependencies are common and expected, but running install will write packages to disk. Inspect the included scripts (imap.js, smtp.js, setup.sh) yourself or in a sandbox before running. - Minimize exposure: If you decide to test, use an account with no sensitive mail (or an app-specific/test account), and use app-passwords where supported (Gmail app password, authorization codes) rather than your primary account password. - .env handling: Add the created .env to .gitignore and avoid committing it. Review setup.sh which creates .env to ensure it writes only intended values. - If you cannot verify the publisher, do not provide real credentials. Consider running the tools in a restricted environment or sandbox and review network connections/logs while testing. If you want, I can summarize exactly where the code reads/writes credentials and which files to inspect before running, or help craft safer test steps (sandboxed run, throwaway account, or manual credential parsing).