Agentmail
ReviewAudited by ClawScan on May 10, 2026.
Overview
AgentMail is a coherent email integration, but it gives the agent broad autonomous email and service-signup ability through an external MCP server without clear approval or scoping controls.
Install only if you want the agent to have an AgentMail-owned inbox and you are comfortable supervising outbound messages and service signups. Verify and pin the MCP package, protect the API key, and require confirmation before the agent sends, forwards, deletes, or acts on incoming email instructions.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could send, forward, or delete agent-mail content, or use verification emails with third-party services, in ways the user did not specifically review.
These instructions grant broad external email and account-flow actions, but the artifacts do not state approval gates, recipient or domain scopes, rate limits, or review requirements before high-impact actions.
Send emails autonomously on behalf of the agent; Sign up for services or authenticate via email; tools include delete_inbox and forward_message.
Require explicit user confirmation before sending, forwarding, deleting inboxes, or using email verification for external services; define allowed recipients, domains, and rate limits.
Future or compromised package versions could change the behavior of the MCP server that receives the AgentMail API key.
The setup runs an external npm MCP package without a pinned version. This is central to the skill, but the reviewed artifacts do not include the package code or an install spec.
command: "npx"; args: ["-y", "agentmail-mcp"]
Verify the AgentMail MCP package source, pin a trusted version, and prefer a documented install spec or lockfile for reproducibility.
Anyone or any process with access to that config or MCP server could potentially use the AgentMail account capabilities allowed by the key.
The skill requires an AgentMail API key stored in Hermes config and passed to the MCP server. This is expected for the service, but it grants account-level access to agent inboxes.
AgentMail API key (required) ... AGENTMAIL_API_KEY: "am_your_key_here"
Protect the config file, use the least-privileged key available, rotate the key if exposed, and declare the credential requirement in metadata.
The agent may expose private email contents or be influenced by malicious instructions embedded in incoming messages or attachments if no caution is applied.
Incoming emails and attachments are retrieved into the agent workflow. That is expected for an email skill, but such content can be sensitive or contain untrusted instructions.
get_thread | Get a specific email thread; get_attachment | Download an email attachment
Treat inbound email and attachments as untrusted, avoid reusing sensitive contents across tasks, and ask the user before acting on instructions from received messages.