Agentmail.to Inbox Ops
ReviewAudited by ClawScan on May 10, 2026.
Overview
This inbox skill is mostly transparent and purpose-aligned, but its sender allowlist uses broad substring matching before automated replies, so it should be reviewed before real email actions.
Before installing, be comfortable granting an Agentmail API key to scripts that can read, reply, download attachments, and change labels. Patch or carefully test sender matching, use `--dry-run` before real replies, pin/audit dependencies, and keep `.env`, logs, and downloads private.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Automated replies or label changes could be applied to messages from senders the user did not intend to authorize.
This shared sender allowlist predicate uses substring matching, not exact normalized email matching. Because the reply workflow relies on this filter, an allowlisted value can match unintended broader sender strings.
def sender_matches(sender: str, allowed_senders: list[str]) -> bool:
s = sender.lower()
return any(a in s for a in allowed_senders)Change sender matching to parse and compare exact email addresses, or make domain/wildcard matching an explicit separate mode. Use `--dry-run` and manually inspect matched messages before real replies.
The agent may prefer this skill for Agentmail.to email tasks even when the user expected another workflow.
The instructions strongly force tool choice for Agentmail.to email actions. This is scoped to the skill purpose, but it is still a directive that can override agent discretion.
🛑 ALWAYS use this skill when: - Needs to take an email action in Agentmail.to ... ✅ This is THE email tool - not optional, but required.
Only install it if you want this to be the default Agentmail.to inbox workflow, and keep high-impact actions user-confirmed.
Anyone running the skill with that API key can read messages, download attachments, reply, and update labels for the configured inbox.
The scripts use an Agentmail API key to access the configured inbox. This is expected for the integration, and no key logging or unrelated credential use is shown.
api_key = os.getenv("AGENTMAIL_API_KEY")
...
return AgentMail(api_key=api_key), inboxUse a scoped Agentmail key if available, store it only in a private `.env` or environment variable, and revoke it if the workspace is shared or compromised.
The code installed by `uv sync` may change over time as dependency versions change.
Dependencies are purpose-aligned, but lower-bound ranges mean future installs may resolve newer package versions.
dependencies = [ "agentmail>=0.2.17", "python-dotenv>=1.2.1", "httpx>=0.28.1", "pypdf>=5.2.0", "python-docx>=1.1.2", ]
Review generated lockfiles, pin versions for production use, and run dependency audits before using the skill with real inbox credentials.
Malformed or hostile attachments could stress parsers or produce unsafe content for downstream review.
PDF/DOCX text extraction runs in a subprocess. This is disclosed and guarded by opt-in extraction, timeouts, and resource limits, but it still processes untrusted attachment content.
proc = subprocess.run(
cmd,
capture_output=True,
text=True,
timeout=timeout_seconds,
check=False,
)Keep `--extract-text` off unless needed, run attachment parsing in a sandbox/container for untrusted files, and keep parser libraries updated.
Inbox metadata and attachment workflow details may remain on disk after the task and could be exposed if committed or shared.
The scripts persist local operational logs. The logged fields can include inbox identifiers, message IDs, sender filters, attachment IDs, paths, and errors.
log_path = Path(__file__).resolve().parents[1] / "inbox_ops.log" ... f.write(json.dumps(line, ensure_ascii=False, default=str) + "\n")
Keep `.env`, `inbox_ops.log`, and `downloads/` out of version control, restrict file permissions, and delete local logs/downloads when no longer needed.