Agent Mail Guard — Email Sanitizer for AI Agents
v1.4.0Sanitize email and calendar content before it reaches your AI agent's context window. Blocks prompt injection, markdown image exfiltration, invisible unicode...
⭐ 0· 304·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the included files and required binaries. The scripts explicitly call the gog CLI for Gmail/Calendar access and use Python sanitizer modules; requiring python3 and optionally gog is coherent for this purpose.
Instruction Scope
SKILL.md and the CLI scripts constrain actions to fetching email/calendar (via gog), parsing text, running local sanitizers, and outputting JSON. Instructions do not tell the agent to read unrelated system files or transmit data to external endpoints. The README and SKILL.md explicitly warn agents not to execute commands or follow links found in emails.
Install Mechanism
No install spec is declared (instruction-only), and all code is plain Python stdlib. Nothing is downloaded from external URLs or extracted to disk by an installer. The presence of code files implies the implementation is bundled rather than fetched at install time.
Credentials
The skill does not request environment variables or credentials from the registry metadata. It does rely on the gog CLI (which itself requires Google account auth) and allows accounts to be provided via EMAIL_ACCOUNTS/CAL_ACCOUNTS or accounts.conf — these are appropriate and proportional for fetching mail/calendar data. No unrelated secrets are requested.
Persistence & Privilege
always:false and model invocation allowed (platform default). The skill writes audit logs to its own directory (audit-log-YYYY-MM.jsonl), which is expected for an audit feature but means local files will be created and appended; consider where the skill runs and whether that directory is acceptable for logs.
Scan Findings in Context
[ignore-previous-instructions] expected: SKILL.md and the code purposely detect and flag prompt-injection patterns like 'ignore previous instructions' — the scanner found these phrases inside documentation and detection regexes, which is expected.
[you-are-now] expected: The authors explicitly include 'you are now' / identity-override patterns in the INJECTION_PATTERNS; the pre-scan found that phrase in SKILL.md and sanitize_core, which is appropriate for this sanitizer.
Assessment
This skill appears to be what it claims: a local email/calendar sanitizer implemented in pure Python. Before installing or running it, review and consider: 1) The shell wrappers invoke the gog CLI to access Gmail/Calendar — gog must be configured with your Google credentials and will fetch your messages; ensure you trust that CLI and its authentication. 2) Audit logs are written to the skill directory (audit-log-YYYY-MM.jsonl); if you prefer logs elsewhere or want stricter isolation, change the LOG_DIR or run the sanitizer in a confined environment. 3) The gog parsing is text-based and brittle: test on your mail output to ensure important fields parse correctly and no false negatives/positives affect workflows. 4) contacts.json controls sender classification; if absent, many senders will be 'unknown' (minimal summaries). 5) The detection regexes are extensive but can produce false positives or misses — run the included tests and sample messages with your data before integrating into an automated agent. If you want higher assurance, run the sanitizer as a separate process with limited filesystem access or review the code manually (sanitize_core.py contains all detection logic).Like a lobster shell, security has layers — review code before you run it.
emailvk97f7bh0s2mtv68p65pcxz7fgx81zgnklatestvk97f7bh0s2mtv68p65pcxz7fgx81zgnkopenclawvk97f7bh0s2mtv68p65pcxz7fgx81zgnkprompt-injectionvk97f7bh0s2mtv68p65pcxz7fgx81zgnksanitizervk97f7bh0s2mtv68p65pcxz7fgx81zgnksecurityvk97f7bh0s2mtv68p65pcxz7fgx81zgnk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🛡️ Clawdis
Binspython3
Any bingog