imap-smtp-email
Medium
by gzlicanyi | Audited: 2026-02-26T09:59:20.936Z | Ruleset: 0.2.0
About This Skill
Read and send email via IMAP/SMTP. Check for new/unread messages, fetch content, search mailboxes, mark as read/unread, and send emails with attachments. Works with any IMAP/SMTP server including Gma…
✨ Use authorization code (授权码), not account password
✨ Enable IMAP/SMTP in web settings first
✨
--limit <n>: Max results (default: 10) ✨
--mailbox <name>: Mailbox to check (default: INBOX) ✨
--recent <time>: Only show emails from last X time (e.g., 30m, 2h, 7d) ✨
--mailbox <name>: Mailbox (default: INBOX) ✨
--dir <path>: Output directory (default: current directory) ✨
--to <email>: Recipient (comma-separated for multiple) Use Cases
1
--file <filename>: Download only the specified attachment (default: download all) 2 For Gmail: use App Password if 2FA is enabled
3 Verify server is running and accessible
4 Verify username (usually full email address)
5 For Gmail: use App Password if 2FA enabled
Documentation (Original)
Source: README.md The following is the author's original documentation (often English). For installation, follow “Quick Install” above.
IMAP/SMTP Email Skill
Read and send email via IMAP/SMTP protocol. Works with any IMAP/SMTP server including Gmail, Outlook, 163.com, vip.163.com, 126.com, vip.126.com, 188.com, and vip.188.com.
Quick Setup
- Create
.envfile with your credentials:
# IMAP Configuration (receiving email)
IMAP_HOST=imap.gmail.com
IMAP_PORT=993
IMAP_USER=your@gmail.com
IMAP_PASS=your_app_password
IMAP_TLS=true
IMAP_MAILBOX=INBOX
# SMTP Configuration (sending email)
SMTP_HOST=smtp.gmail.com
SMTP_PORT=587
SMTP_SECURE=false
SMTP_USER=your@gmail.com
SMTP_PASS=your_app_password
SMTP_FROM=your@gmail.com
- Install dependencies:
npm install
- Test the connection:
node scripts/imap.js check
node scripts/smtp.js test
IMAP Commands (Receiving Email)
Check for new emails
node scripts/imap.js check --limit 10
node scripts/imap.js check --recent 2h # Last 2 hours
node scripts/imap.js check --recent 30m # Last 30 minutes
Fetch specific email
node scripts/imap.js fetch <uid>
Search emails
node scripts/imap.js search --unseen
node scripts/imap.js search --from "sender@example.com"
node scripts/imap.js search --subject "important"
node scripts/imap.js search --recent 24h
Mark as read/unread
node scripts/imap.js mark-read <uid>
node scripts/imap.js mark-unread <uid>
List mailboxes
node scripts/imap.js list-mailboxes
SMTP Commands (Sending Email)
Test SMTP connection
node scripts/smtp.js test
Send email
# Simple text email
node scripts/smtp.js send --to recipient@example.com --subject "Hello" --body "World"
# HTML email
node scripts/smtp.js send --to recipient@example.com --subject "Newsletter" --html --body "<h1>Welcome</h1>"
# Email with attachment
node scripts/smtp.js send --to recipient@example.com --subject "Report" --body "Please find attached" --attach report.pdf
# Multiple recipients
node scripts/smtp.js send --to "a@example.com,b@example.com" --cc "c@example.com" --subject "Update" --body "Team update"
Common Email Servers
| Provider | IMAP Host | IMAP Port | SMTP Host | SMTP Port |
|---|---|---|---|---|
| 163.com | imap.163.com | 993 | smtp.163.com | 465 |
| vip.163.com | imap.vip.163.com | 993 | smtp.vip.163.com | 465 |
| 126.com | imap.126.com | 993 | smtp.126.com | 465 |
| vip.126.com | imap.vip.126.com | 993 | smtp.vip.126.com | 465 |
| 188.com | imap.188.com | 993 | smtp.188.com | 465 |
| vip.188.com | imap.vip.188.com | 993 | smtp.vip.188.com | 465 |
| yeah.net | imap.yeah.net | 993 | smtp.yeah.net | 465 |
| Gmail | imap.gmail.com | 993 | smtp.gmail.com | 587 |
| Outlook | outlook.office365.com | 993 | smtp.office365.com | 587 |
| QQ Mail | imap.qq.com | 993 | smtp.qq.com | 587 |
Important for 163.com:
- Use authorization code (授权码), not account password
- Enable IMAP/SMTP in web settings first
Configuration Options
IMAP:
IMAP_HOST- Server hostnameIMAP_PORT- Server portIMAP_USER- Your email addressIMAP_PASS- Your password or app-specific passwordIMAP_TLS- Use TLS (true for SSL, false for STARTTLS)IMAP_REJECT_UNAUTHORIZED- Accept self-signed certsIMAP_MAILBOX- Default mailbox (INBOX)
SMTP:
SMTP_HOST- Server hostnameSMTP_PORT- Server port (587 for STARTTLS, 465 for SSL)SMTP_SECURE- true for SSL (465), false for STARTTLS (587)SMTP_USER- Your email addressSMTP_PASS- Your password or app-specific passwordSMTP_FROM- Default sender email (optional)SMTP_REJECT_UNAUTHORIZED- Accept self-signed certs
Troubleshooting
Connection errors:
- Verify IMAP/SMTP server is running and accessible
- Check host/port settings in
.env
Authentication failed:
- For Gmail: Use App Password (not account password if 2FA enabled)
- For 163.com: Use authorization code (授权码), not account password
TLS/SSL errors:
- For self-signed certs: Set
IMAP_REJECT_UNAUTHORIZED=falseorSMTP_REJECT_UNAUTHORIZED=false
Files
SKILL.md- Skill documentationscripts/imap.js- IMAP CLI toolscripts/smtp.js- SMTP CLI toolpackage.json- Node.js dependencies.env- Your credentials (create manually)
Security Audit
Medium
Summary
Read and send email via IMAP/SMTP. Check for new/unread messages, fetch content, search mailboxes, mark as read/unread, and send emails with attachments. Works with any IMAP/SMTP server including Gmail, Outlook, 163.com, vip.163.com, 126.com, vip.126.com, 188.com, and vip.188.com.
Risk Profile
ToxicSkills Analysis
Blocklist
Not matched
Prompt Injection
Not detected
Toxic Flags
credential-accessexfiltration
No Toxic signals detected by current static checks.
Key Risks 0 items
No LLM risk bullets (LLM disabled or not cached).
Deterministic Findings (Evidence)
| Rule | Severity | File | Snippet |
|---|---|---|---|
| SENSITIVE_ENV | medium | skills/gzlicanyi/imap-smtp-email/scripts/imap.js Line 23 | const DEFAULT_MAILBOX = process.env.IMAP_MAILBOX || 'INBOX'; |
| SENSITIVE_ENV | medium | skills/gzlicanyi/imap-smtp-email/scripts/imap.js Line 50 | user: process.env.IMAP_USER, |
| SENSITIVE_ENV | medium | skills/gzlicanyi/imap-smtp-email/scripts/imap.js Line 51 | password: process.env.IMAP_PASS, |
| SENSITIVE_ENV | medium | skills/gzlicanyi/imap-smtp-email/scripts/imap.js Line 52 | host: process.env.IMAP_HOST || '127.0.0.1', |
| SENSITIVE_ENV | medium | skills/gzlicanyi/imap-smtp-email/scripts/imap.js Line 53 | port: parseInt(process.env.IMAP_PORT) || 1143, |
| SENSITIVE_ENV | medium | skills/gzlicanyi/imap-smtp-email/scripts/imap.js Line 54 | tls: process.env.IMAP_TLS === 'true', |
| SENSITIVE_ENV | medium | skills/gzlicanyi/imap-smtp-email/scripts/imap.js Line 56 | rejectUnauthorized: process.env.IMAP_REJECT_UNAUTHORIZED !== 'false', |
| NET_HTTP_REQUEST | medium | skills/gzlicanyi/imap-smtp-email/scripts/imap.js Line 121 | const fetch = imap.fetch(results, fetchOptions); |
| SENSITIVE_ENV | medium | skills/gzlicanyi/imap-smtp-email/scripts/smtp.js Line 38 | host: process.env.SMTP_HOST, |
| SENSITIVE_ENV | medium | skills/gzlicanyi/imap-smtp-email/scripts/smtp.js Line 39 | port: parseInt(process.env.SMTP_PORT) || 587, |
| SENSITIVE_ENV | medium | skills/gzlicanyi/imap-smtp-email/scripts/smtp.js Line 40 | secure: process.env.SMTP_SECURE === 'true', // true for 465, false for other ports |
| SENSITIVE_ENV | medium | skills/gzlicanyi/imap-smtp-email/scripts/smtp.js Line 42 | user: process.env.SMTP_USER, |
| SENSITIVE_ENV | medium | skills/gzlicanyi/imap-smtp-email/scripts/smtp.js Line 43 | pass: process.env.SMTP_PASS, |
| SENSITIVE_ENV | medium | skills/gzlicanyi/imap-smtp-email/scripts/smtp.js Line 46 | rejectUnauthorized: process.env.SMTP_REJECT_UNAUTHORIZED !== 'false', |
| SENSITIVE_ENV | medium | skills/gzlicanyi/imap-smtp-email/scripts/smtp.js Line 70 | from: options.from || process.env.SMTP_FROM || process.env.SMTP_USER, |
| SENSITIVE_ENV | medium | skills/gzlicanyi/imap-smtp-email/scripts/smtp.js Line 125 | from: process.env.SMTP_FROM || process.env.SMTP_USER, |
| SENSITIVE_ENV | medium | skills/gzlicanyi/imap-smtp-email/scripts/smtp.js Line 126 | to: process.env.SMTP_USER, // Send to self |
| QUALITY_README_PRESENT | low | README Line n/a | README detected |
Scoring Criteria
Each skill is scored across 5 dimensions. The weighted total determines the star rating.
Code Toxicity 100/100 (weight 30%)
Privacy Risk 0/100 (weight 25%)
Permission Scope 80/100 (weight 20%)
Author Reputation 75/100 (weight 15%)
Code Quality 78/100 (weight 10%)
Star Rating Scale
5★ Safe — Score ≥ 80
4★ Good — Score 70–79
3★ Caution — Score 60–69
2★ Risky — Score 40–59
1★ Dangerous — Score < 40
Why This Score?
The following dimensions scored below 60, dragging the overall rating down:
- Privacy Risk: 0/100