Mail Skill
WarnAudited by ClawScan on May 18, 2026.
Overview
This is a coherent mail integration, but it asks for mailbox credentials, can send/delete/manage email, and installs unpinned remote code, so users should review it carefully before use.
Only use this skill if you trust the GitHub mail-mcp package and are comfortable granting mailbox access. Prefer a dedicated mailbox or app-specific password, review the remote code or pin it to a known commit, and require explicit confirmation before any send, forward, delete, move, or folder-management action.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked incorrectly or too broadly, the agent could send unintended emails or delete/alter mailbox content.
These tools can delete mailbox data and send or forward emails from the user's account, but the skill does not document confirmation requirements or guardrails for these high-impact actions.
`delete_folder` | 删除文件夹 ... `delete_email` | 删除邮件 ... `send_email` | 发送邮件 ... `send_reply` | 回复邮件 ... `send_forward` | 转发邮件
Require explicit user confirmation before sending, forwarding, deleting, moving, or folder-changing actions, and prefer dry-runs or summaries before mutation.
Installing and configuring this skill can give the MCP server broad access to read, send, and manage the user's mailbox.
The skill documentation asks for email account credentials that grant IMAP/SMTP access, while the registry metadata does not declare credentials or environment variables.
Metadata: `Required env vars: none` / `Primary credential: none`; SKILL.md config: `EMAIL_USER`: `your-email@example.com`, `EMAIL_PASSWORD`: `your-password`, `IMAP_HOST`, `SMTP_HOST`
Declare the credential requirements in metadata, use app-specific passwords where possible, restrict the mailbox/account used, and avoid using a primary account password.
A change in the remote repository could change what code is installed and what handles the user's email credentials.
The installer downloads and installs an unpinned GitHub repository and allows pip to modify system-managed packages; the downloaded package code is not included in the reviewed artifacts.
REPO_URL="https://github.com/AdJIa/mail-mcp-server.git" ... pip install git+$REPO_URL --break-system-packages -q
Pin to a reviewed commit or release, provide a lockfile or package checksum, avoid --break-system-packages, and disclose the install behavior in the install spec.
The agent may see sensitive email content, and malicious email text could try to influence the agent if treated as instructions.
The skill can retrieve email content into the agent context. This is purpose-aligned, but email bodies and attachments may contain private data or untrusted instructions from third parties.
`search_emails` | 搜索邮件; `get_email` | 获取邮件详情
Treat retrieved email content as untrusted data, limit searches to necessary messages, and avoid exposing email contents unless the user asks.