{"skill":{"slug":"agentcloak-email-proxy","displayName":"AgentCloak - Email Proxy that filters PII, 2FA, and password resets","summary":"Secure email proxy for AI agents. Search, read, and draft emails via MCP with server-side credential isolation, PII redaction, prompt injection detection, an...","description":"---\nname: agentcloak\ndescription: \"Secure email proxy for AI agents. Search, read, and draft emails via MCP with server-side credential isolation, PII redaction, prompt injection detection, and content filtering. Unlike raw Gmail/IMAP skills, your agent never sees passwords or unfiltered content. Self-host or use the hosted version.\"\nhomepage: https://github.com/ryanfren/AgentCloak\nuser-invocable: true\nmetadata:\n  clawdbot:\n    emoji: \"\\U0001F6E1\\uFE0F\"\n    requires:\n      bins:\n        - mcporter\n      env:\n        - AGENTCLOAK_API_KEY\n    primaryEnv: AGENTCLOAK_API_KEY\n---\n\n# AgentCloak\n\nSecure email proxy for AI agents. AgentCloak sits between your agent and your email, so the agent gets useful email access without seeing credentials, sensitive financial data, PII, or prompt injection attacks.\n\nEvery other email skill on ClawHub gives your agent raw, unfiltered access to your inbox. AgentCloak is the only one with a built-in security pipeline.\n\n## What makes this different\n\n- **Credential isolation** — your email password/OAuth tokens stay server-side; the agent only has an API key\n- **4-stage content filter** — blocklist, HTML sanitizer, PII redaction, prompt injection detection\n- **Read + draft only** — agents can search, read, list, and draft emails but cannot send, delete, or modify anything\n- **Draft safety** — drafts are never sent automatically; you review them first\n- **Self-host or hosted** — run your own instance or use the hosted version\n\n## Setup\n\n### Option A: Hosted version (quickest)\n\n1. Sign up at https://agentcloak.up.railway.app\n2. Connect your email (IMAP works with any provider, Gmail OAuth available by invite)\n3. Create an API key in the dashboard\n4. Configure:\n\n```bash\nexport AGENTCLOAK_API_KEY=ac_your_key_here\nmcporter config add agentcloak \\\n  --baseUrl \"https://agentcloak.up.railway.app/mcp\" \\\n  --header \"Authorization: Bearer $AGENTCLOAK_API_KEY\"\n```\n\n### Option B: Self-hosted\n\n1. Clone and run:\n\n```bash\ngit clone https://github.com/ryanfren/AgentCloak.git\ncd agentcloak\npnpm install && pnpm build && pnpm dev\n```\n\n2. Open http://localhost:3000, create an account, connect email, create API key\n3. Configure:\n\n```bash\nexport AGENTCLOAK_URL=http://localhost:3000\nexport AGENTCLOAK_API_KEY=ac_your_key_here\nmcporter config add agentcloak \\\n  --baseUrl \"${AGENTCLOAK_URL}/mcp\" \\\n  --header \"Authorization: Bearer $AGENTCLOAK_API_KEY\"\n```\n\n**Requirements for self-hosting:** Node.js 20+, pnpm 10+\n\n## Available tools\n\n| Tool | Description | Key parameters |\n|------|-------------|----------------|\n| `search_emails` | Search emails with Gmail-style queries | `query`, `max_results` (1-200), `page_token` |\n| `read_email` | Read full email content by ID | `message_id` |\n| `list_threads` | List conversation threads | `query`, `max_results`, `page_token` |\n| `get_thread` | Read all messages in a thread | `thread_id` |\n| `create_draft` | Create a draft (not sent) | `to`, `subject`, `body`, `in_reply_to_thread_id` |\n| `list_drafts` | List existing drafts | `max_results` |\n| `list_labels` | List all labels with unread counts | (none) |\n| `get_provider_info` | Get provider type and capabilities | (none) |\n\n## Usage examples\n\n```bash\n# Search for unread emails\nmcporter call agentcloak.search_emails query:\"is:unread\" max_results:10\n\n# Read a specific email\nmcporter call agentcloak.read_email message_id:\"abc123\"\n\n# Get a full conversation thread\nmcporter call agentcloak.get_thread thread_id:\"thread456\"\n\n# Draft a reply (not sent until you review it)\nmcporter call agentcloak.create_draft subject:\"Re: Meeting\" body:\"Sounds good, see you Thursday.\" in_reply_to_thread_id:\"thread456\"\n\n# List labels and unread counts\nmcporter call agentcloak.list_labels\n```\n\n## Security pipeline\n\nEvery email passes through a 4-stage filter before the agent sees it. Each stage is independently configurable from the dashboard.\n\n### Stage 1: Blocklist\n\nBlocks emails from sensitive senders outright. Three toggleable categories:\n\n- **Financial** — 40+ domains (Chase, PayPal, Venmo, Coinbase, etc.)\n- **Security senders** — patterns like security@, fraud@, alerts@, .gov addresses\n- **Security subjects** — password resets, 2FA codes, verification links, login alerts\n\nPlus custom blocklists: add your own domains, sender patterns, or subject patterns.\n\n### Stage 2: HTML sanitizer\n\nConverts HTML email to plaintext and strips dangerous Unicode (zero-width characters, bidirectional overrides, tag characters, variation selectors) that could be used to hide prompt injection.\n\n### Stage 3: PII redaction\n\nRedacts sensitive patterns with placeholders:\n\n- SSNs, credit card numbers, bank account/routing numbers\n- API keys (`sk_`, `pk_`, AWS keys), bearer tokens, PEM private keys\n- Optionally: email addresses, large dollar amounts\n\n### Stage 4: Prompt injection detection\n\nScans for 19 known injection patterns (instruction overrides, role reassignments, system tag injections, data exfiltration attempts). Flags detected content with a `[AGENTCLOAK WARNING]` prefix so the agent knows the email may be adversarial. Does not block — lets the agent make an informed decision.\n\n## Security and privacy\n\n**What data leaves your machine:**\n\n| Scenario | Data flow |\n|----------|-----------|\n| Self-hosted | Nothing leaves your machine. All processing is local. |\n| Hosted version | Your email credentials are stored server-side (encrypted). Email content passes through the hosted server's filter pipeline. No data is shared with third parties. |\n\n- API keys are hashed (SHA-256) before storage — the server cannot recover your key after creation\n- Email credentials are stored server-side; the agent never sees them\n- All filtering happens server-side before content reaches the agent\n- The agent can only read and draft — it cannot send, delete, or modify emails\n- Source code is open: https://github.com/ryanfren/AgentCloak\n\n**Trust statement:** By using the hosted version, you trust the AgentCloak server with access to your email account credentials and content. If this is not acceptable, self-host your own instance for full control.\n\n## Email providers\n\nAgentCloak supports three connection methods:\n\n- **IMAP** — works with any email provider (Gmail, Outlook, ProtonMail Bridge, Fastmail, etc.)\n- **Gmail OAuth** — direct API access (currently invite-only during beta)\n- **Gmail Apps Script** — manual setup via script.google.com, no Google Cloud project needed\n\n## Limitations\n\n- Read and draft only — no send, delete, or modify\n- Gmail search syntax only (even for IMAP connections, queries are translated)\n- Attachment content is not accessible (metadata can optionally be shown)\n- Gmail OAuth is invite-only during beta; IMAP and Apps Script are open to all\n- Hosted version is in beta\n\n## Links\n\n- Homepage: https://agentcloak.up.railway.app\n- Source: https://github.com/ryanfren/AgentCloak\n- License: BSL 1.1\n","tags":{"latest":"1.0.0"},"stats":{"comments":0,"downloads":1003,"installsAllTime":2,"installsCurrent":2,"stars":0,"versions":1},"createdAt":1771541743466,"updatedAt":1778491585715},"latestVersion":{"version":"1.0.0","createdAt":1771541743466,"changelog":"Initial release. Secure email proxy with PII redaction, prompt injection detection, and content filtering.","license":null},"metadata":{"setup":[{"key":"AGENTCLOAK_API_KEY","required":true}],"os":null,"systems":null},"owner":{"handle":"ryanfren","userId":"s17348mvbrdwrhgnv869hsetkx884mxh","displayName":"ryanfren","image":"https://avatars.githubusercontent.com/u/193449877?v=4"},"moderation":null}