Email MCP Helper
ReviewAudited by ClawScan on May 10, 2026.
Overview
Review recommended: this skill is openly for email management, but it exposes broad multi-account email read/send/change powers without fully defining when the agent must ask you first.
Install only if you control and trust the MCP server. Pin and review the external images, limit which email accounts are configured, protect the API key, and add clear agent rules requiring your confirmation before sending, forwarding, deleting, scheduling, or running bulk email actions.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent or another dependent skill misuses these tools, it could send messages, forward private email, or bulk-change mailbox state across configured accounts.
These are high-impact account actions, including external communications and bulk mutations. The visible instructions only require explicit user direction for some destructive actions, not for all send/forward/schedule/bulk workflows.
It exposes 47 tools covering full email lifecycle management — reading, searching, sending, replying, forwarding, scheduling, folder management, labels, bulk operations...
Add explicit confirmation requirements and clear scopes for sending, forwarding, scheduling, deleting, moving, labeling, and bulk operations; prefer dry-run previews for bulk changes.
Installing or enabling this helper may expose multiple email accounts to agent actions through one MCP connection.
The email account credentials are expected for this integration, but the agent can discover and operate on all accounts configured on the server.
Accounts are configured server-side. Always call `list_accounts` to get the current account names...
Use least-privilege email accounts/API keys, separate personal and production mailboxes where possible, and verify which accounts the MCP server exposes before enabling the skill.
A changed or compromised external image/proxy could affect the email service handling your messages and credentials.
The setup depends on external container images and an unpinned `latest` tag. This is disclosed and purpose-aligned, but provenance and version pinning matter because the server will handle email credentials.
The `email-mcp` image (`ghcr.io/codefuturist/email-mcp:latest`) ... A MCP proxy (e.g. `sparfenyuk/mcp-proxy`) must be installed alongside it...
Pin image versions or digests, review the upstream repository, and deploy the MCP server/proxy only from sources you trust.
If the endpoint is wrong, shared, or poorly secured, private email content and mailbox actions could be exposed through that MCP channel.
Email commands and potentially email content flow through a remote MCP/SSE endpoint protected by an API key. This is normal integration plumbing, but the endpoint identity and key handling are outside the skill.
URL | `https://mcp-server-addres.com/mcp` | Transport | SSE | Auth | API key via `X-API-Key` header
Verify the MCP server URL, require HTTPS, protect and rotate the API key, and avoid connecting the skill to servers you do not control.
A user may be nudged to ignore relevant warnings about broad email permissions.
The skill includes non-functional commentary that may encourage users to discount security warnings, although it also tells users to do their own review.
Clawhub will mark this as a risk... Dont rely on Clawhub, DYOR always!
Evaluate the actual permissions and MCP deployment independently, and do not treat commentary about security reviews as a substitute for reviewing the skill.