email-cron-handler

This skill will read a mailbox and can cause your agent to execute instructions embedded in emails; that is powerful but also dangerous if misused. Before installing or running it: - Do not place real/privileged credentials in plaintext config.json or pass them in cron payloads. Use an app-specific token, a dedicated throwaway mailbox, or a secure secret store (OS keychain / secrets manager) and avoid embedding secrets in scheduler payloads or agent turns. - Prefer the provided Python script (fetch/reply) to run in a tightly sandboxed environment and avoid giving the LLM direct authorization to 'execute' commands. If you must automate, restrict the allowed command set to a whitelist of safe operations and implement explicit parsing/validation rather than treating the whole email body as executable instructions. - Avoid scheduling regular autonomous agent turns that include secrets; if using a scheduler, ensure payloads do not contain credentials and that the execution environment enforces strict egress/network controls and logging policies. - Use a dedicated, low-privilege mailbox for testing; rotate credentials often; log and monitor outgoing SMTP activity. - If you want to proceed safely, request changes from the skill author (or modify locally): remove credential embedding in cron payloads, make whitelist_sender an explicit list, implement explicit allowed-command parsing, and store secrets in a secure store. Confidence is high that these are genuine risks (design choices rather than mere bugs). Additional information that would reduce risk: (1) confirmation that the agent never receives credentials in runtime payloads and that only the local script runs (no LLM execution), (2) use of secure secret storage for IMAP/SMTP credentials, and (3) an allowlist of permitted commands with sandboxing for any action the agent performs.