Mail Mcp
ReviewAudited by ClawScan on May 18, 2026.
Overview
This email skill is purpose-aligned, but it asks for full mailbox credentials and can send or delete email through unpinned GitHub-installed code without clear approval safeguards.
Review and pin the GitHub mail-mcp-server code before installing, use an app-specific or limited mailbox credential, prefer a virtual environment, and require manual confirmation before any send, forward, delete, move, or folder-changing action.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked incorrectly, the agent could send messages or delete/move mailbox content.
The skill exposes email sending and destructive mailbox operations. These are coherent with an email management skill, but the artifact does not describe explicit user confirmation, scoping, or reversibility for high-impact actions.
2. **发送邮件**: 支持纯文本、HTML、附件 ... 4. **管理文件夹**: 列出、创建、删除、重命名文件夹 ... 5. **邮件操作**: 标记已读/未读、星标、移动、复制、删除
Require explicit user approval before sending, forwarding, deleting, moving, or folder-management actions; show recipients, message IDs, folder names, and a summary before execution.
Installing and configuring the skill may give the MCP server access to the user's mailbox, including reading mail and sending messages as the user.
The skill requires mailbox credentials for IMAP/SMTP access. This is expected for the purpose, but it grants broad read/send/manage authority and is under-declared because the registry lists no required env vars or primary credential.
"EMAIL_USER": "your-email@example.com", "EMAIL_PASSWORD": "your-password"
Use an app-specific password or least-privilege mailbox account where possible, avoid reusing a main password, and ensure the registry declares the required credential and environment variables.
A change in the remote repository or install-time behavior could affect the code that receives mailbox credentials and performs email operations.
The installer fetches and installs unpinned remote code from GitHub and bypasses system package protections. The reviewed artifact set does not include the mail-mcp server code that will handle email credentials and mailbox actions.
REPO_URL="https://github.com/AdJIa/mail-mcp-server.git" ... pip install git+$REPO_URL --break-system-packages -q
Pin to a reviewed commit or release, avoid --break-system-packages, prefer a virtual environment, and review the mail-mcp-server source before providing credentials.
Sensitive email text or attachments could be exposed to the local MCP server and the agent session during normal use.
Email search results, message details, and attachments are passed through an MCP tool boundary. This is expected for the stated mail integration, but users should understand that mailbox content and attachments may enter the agent/tool context.
mcporter call mail-mcp.search_emails --args '{"folder": "INBOX", "limit": 10}' ... 附件通过 base64 编码传输Only query or attach files you intend the agent to process, and avoid using the skill with highly sensitive mail unless the MCP server and local environment are trusted.