ProtonMail
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Other machines on the network may be able to reach the bridge ports if the host firewall allows it, increasing the risk around ProtonMail bridge credentials and mailbox access.
The Docker example publishes the IMAP and SMTP bridge ports without a localhost-only bind, which can expose a mailbox-access bridge service beyond the local agent environment.
-p 143:143 -p 1025:25 \ --restart=unless-stopped \ shenxn/protonmail-bridge
Bind bridge ports to localhost only, for example `-p 127.0.0.1:143:143`, and rely on host firewall rules before entering ProtonMail credentials.
If the image or repository changes or is compromised, the component receiving your mail credentials could behave differently than reviewed here.
The setup uses an unpinned Docker image and an unpinned source checkout for software that will handle ProtonMail login or bridge credentials.
docker run ... shenxn/protonmail-bridge ... git clone https://github.com/emersion/hydroxide.git cd hydroxide && go build ./cmd/hydroxide
Prefer official, verified bridge distributions where possible; otherwise pin Docker image digests or repository commits and review the bridge software before logging in.
Unread emails could be marked as read just because the agent listed or searched messages.
The inbox and search listing paths select the mailbox read-write and fetch headers without `BODY.PEEK`; on IMAP this can mark messages as seen even though the command appears to only list or search mail.
imap.select('INBOX')
...
imap.fetch(msg_id, '(BODY[HEADER.FIELDS (FROM SUBJECT DATE)])')Use `imap.select('INBOX', readonly=True)` or `BODY.PEEK[...]` for listing/searching, and reserve read-status changes for an explicit read action.
Installing and using this skill allows the agent to view mailbox metadata and, for the read command, full email bodies.
The skill uses ProtonMail bridge credentials to authenticate to IMAP, which is expected for the stated purpose but grants access to private mailbox data.
PROTONMAIL_USER - Email address PROTONMAIL_PASS - Bridge password ... imap.login(CONFIG['user'], CONFIG['password'])
Only configure it for accounts you want the agent to access, protect the config file, and avoid sharing outputs containing sensitive emails.
Mail bridge access may remain available until the service or container is stopped.
The bridge is documented as a persistent service. That is normal for an IMAP bridge, but it means the credential-bearing component keeps running after setup.
--restart=unless-stopped ... # Run as service ./hydroxide serve
Run the bridge only where needed, stop it when not in use, and periodically review running containers or services.