Missing User Warnings
Medium
- Confidence
- 88% confidence
- Finding
- The README explicitly states that email configuration is stored in `~/.near-email/config.json` and earlier demonstrates passing an SMTP username and password on the command line, but it does not warn users that these are sensitive secrets that must be protected. In the context of an email-reporting skill, credential exposure could let an attacker access the mailbox or abuse the SMTP account for phishing, spam, or account recovery attacks.
