Apple Mail Search Safe (fruitmail)
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a purpose-aligned Apple Mail search skill, but users should understand that the installed CLI can read local Mail.app message metadata and full email bodies.
This skill looks coherent for searching Apple Mail and claims read-only behavior. Before installing, be comfortable giving the fruitmail CLI access to your local Mail.app database and full email bodies, and remember that the reviewed artifacts did not include the npm package source itself.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
65/65 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill runs and trusts an external npm CLI that was not included in the reviewed artifacts.
The skill depends on an external npm package installed as a global CLI, while the provided artifact set contains only SKILL.md and no package source for static review.
node | package: fruitmail | creates binaries: fruitmail
Install only if you trust the fruitmail npm package and publisher; consider reviewing the linked repository or package contents before installation.
Private emails may be shown to the agent during use, and message text could influence the conversation if not handled as untrusted content.
The skill can retrieve full local email bodies into the agent's context; email contents may be private or may contain untrusted text that should not be treated as instructions.
`body <id>` | Read full email body (AppleScript)
Use the skill only when you want the agent to inspect Apple Mail content, and avoid asking it to process messages that may contain sensitive or untrusted instructions unless necessary.