roundcube-webmail

[Skill Scanner] [Documentation context] Installation of third-party script detected This skill's described capabilities are consistent with its stated purpose (automating SAML+TOTP Roundcube login and reading emails). The main security concern is the high-sensitivity nature of the data handled: password + TOTP secret in Keychain and automated posting of email content to an external Slack webhook. If the webhook or scripts are misconfigured or malicious, this can lead to data exfiltration. I found no explicit signs of obfuscation or hardcoded malicious endpoints in the provided text, but the absence of the referenced scripts prevents full verification. Recommendation: review the actual scripts (read-mail.js, decode_totp_qr.py, setup-keychain.sh) for secure handling of credentials, absence of credential forwarding to unknown domains, proper TLS verification, and safe logging practices before use; treat the webhook target as highly sensitive and restrict autonomous cron runs to trusted environments. LLM verification: [LLM Escalated] No direct malicious code is present in the provided documentation fragment, and the described capabilities are consistent with a legitimate mail-automation skill. However, the skill handles highly sensitive secrets (password and TOTP secret), instructs execution of local scripts that are not included for audit, and enables fully automated periodic execution that will reuse stored MFA credentials. These factors create a meaningful supply-chain and credential-exfiltration risk unless the reference