Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Apple Mail Search Safe.Bak
v1.0.0Apple Mail search on macOS with fast metadata and full body lookup. Use for finding messages in Mail.app by subject/sender/recipient/date, opening messages,...
⭐ 0· 110·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill name/description, required binary (fruitmail), and SKILL.md all consistently describe a CLI that reads Apple Mail's local Envelope Index and uses AppleScript to fetch message bodies — those capabilities match the stated purpose.
Instruction Scope
SKILL.md explicitly instructs the agent to read ~/Library/Mail/.../Envelope Index (read-only) and use AppleScript to read message bodies. Those actions are necessary for the advertised functionality but involve accessing highly sensitive personal email data; the doc recommends a safe '--copy' mode, which is appropriate.
Install Mechanism
Install is an npm global package (apple-mail-search-cli -> fruitmail). npm packages can execute arbitrary code at install/run time; the skill includes no bundled code for inspection, so you must trust the remote package. This is a moderate risk compared with instruction-only skills that do not pull code from a registry.
Credentials
The skill requests no environment variables or external credentials, which is proportional to its purpose. However, it does require filesystem access to Mail's database, which is intrinsically sensitive but expected for this functionality.
Persistence & Privilege
The skill does not request always:true, no persistent privileges or cross-skill config changes are declared, and autonomous invocation is the platform default. Nothing here elevates privileges beyond normal skill behavior.
What to consider before installing
This skill appears to do what it says (search local Apple Mail), but take these precautions before installing: 1) Verify the upstream npm package and GitHub repo (apple-mail-search-cli / gumadeiras/fruitmail-cli) — inspect package contents and maintainers for malicious install-scripts or unexpected network calls. 2) Note the registry metadata mismatches (different ownerId/slug/version in _meta.json vs registry) — ask the publisher to confirm provenance. 3) Expect the tool to read your Mail database and run AppleScript to access message bodies — do not install if you cannot trust the package. 4) If you proceed, run with the '--copy'/'read-only' option or test in a restricted/sandboxed account, and audit network activity and the installed binary (npm ls, inspect bin files) before granting broader use.Like a lobster shell, security has layers — review code before you run it.
latestvk97fppy7b1n08awfgtrr7zpyv1838xrx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📧 Clawdis
Binsfruitmail
Install
Install fruitmail CLI (npm)
Bins: fruitmail
npm i -g apple-mail-search-cli