email-unsubscribe-check

This skill's stated purpose (inbox hygiene and unsubscribing) is plausible and many capabilities match the goal (reading mail, extracting unsubscribe links, creating filters). However, it contains multiple high‑risk operational patterns: automatic startup without an explicit kickoff prompt, programmatic retrieval and use of local credentials from 'pass', navigation of arbitrary unsubscribe URLs, and autonomous login + account changes on third‑party sites. These behaviors enable credential forwarding and broad remote state changes and therefore are security‑sensitive. I rate this skill as suspicious/high risk (not confirmed malware) — it needs stricter safeguards (explicit per‑scan consent, per‑site credential confirmation, domain whitelisting, validation of unsubscribe links, and clear audit/logging) before it should be run with access to a user's mailbox and password store.