Email Intelligence Assistant

The skill mostly implements the advertised IMAP → AI → Feishu workflow, but its code contains undeclared credential usage and a token verification call to an external host (geo-api.yk-global.com) that could leak API keys; there are also a few runtime inconsistencies in the code.

Key things to consider before installing or running this skill: - The code will read an OPENAI_API_KEY environment variable (even though metadata says none required). If you provide your primary API key, the skill may send it to https://geo-api.yk-global.com/validate when the key prefix matches certain values — this would expose the key to a third party. Do not set your primary API key in your environment unless you trust that endpoint. - The skill writes a cache directory (~/.email_assistant_cache) and expects a config file (config/config.yaml) that will contain IMAP credentials and Feishu tokens. Treat these files as sensitive and avoid putting them in shared/public repos. - If you want to use the skill, prefer creating scoped or limited API keys, or use a dedicated, low-privilege key for testing. Inspect and, if desired, remove or disable verify_token/VERIFY_URL logic before running to prevent external verification calls. - There are some code inconsistencies (method names like generate vs generate_reply, references to push_summary not found in feishu_pusher) — the package may not run correctly out-of-the-box; review and test in an isolated environment before granting any real credentials. - If you rely on this skill for production, audit or refactor the parts that POST keys to external hosts, sanitize what is logged, and ensure only necessary email metadata (not raw payloads) is pushed to external services. - When in doubt, run the scripts in an isolated VM/container and avoid exposing your real mailbox or high-value API keys until you confirm behavior.