PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: mail Version: 1.2.0 The skill is designed for email operations using the `himalaya` CLI tool and macOS Mail app. It leverages standard system binaries like `osascript` for Mail app synchronization and `security` for secure credential retrieval from the macOS Keychain, which is a legitimate and relatively secure method for handling credentials. The `SKILL.md` explicitly defines a limited scope, read-only data access for email-related paths, and includes strong guardrail instructions for the AI agent (e.g., 'NEVER auto-send', 'NEVER delete without explicit confirmation'). There is no evidence of intentional harmful behavior, unauthorized data exfiltration, persistence mechanisms, or malicious prompt injection attempts against the agent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If approved, the agent can send email from your account, so mistakes in recipients or content could affect real people.
The skill can send email through a CLI, which is a high-impact action, but the documented workflow requires the user to review and explicitly approve the message first.
**NEVER auto-send.** Always follow this flow: ... Show user the complete message ... Wait for explicit "send" or "OK" ... Execute `himalaya message send`
Review every recipient, subject, and body before confirming send, especially for replies, attachments, or bulk messages.
Anyone or any agent action using this setup may be able to read and send mail for the configured account.
The skill uses email account credentials via Keychain and himalaya configuration. This is expected for email access, but it grants access to the configured mailbox.
**Credentials:** - App Password for Gmail (not regular password), stored in macOS Keychain - Configure in `~/.config/himalaya/config.toml`
Use app passwords or OAuth tokens that can be revoked, keep the config file protected, and only configure accounts you are comfortable exposing to the agent.
Private messages, sender information, and attachments may be surfaced to the agent during searches or reads.
The skill can read local mail indexes and message or attachment files, which may bring private email content into the agent's working context.
**Read-only paths:** - `~/Library/Mail/V*/MailData/Envelope Index` - `~/Library/Mail/V*/MAILBOX/Messages/`
Ask for narrow searches by folder, sender, or date range, and treat email contents as untrusted data rather than instructions.
The security of the skill's mail operations depends on the installed himalaya binary and its configuration.
The skill depends on an external CLI installed outside the skill package. This is normal for the stated purpose, but the user must trust that dependency.
brew install himalaya # or cargo install himalaya
Install himalaya from a trusted package source and keep it updated.