Hide My Email
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill’s purpose is coherent, but it installs unreviewed remote runtime code that may later run with broad macOS Accessibility control.
Only install this if you are comfortable reviewing or trusting the upstream GitHub code, because the provided artifacts do not include the actual `hme` and AppleScript files that will automate System Settings. Grant Terminal Accessibility only after that review, and consider revoking it when finished.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the upstream repository changes or is compromised, the user could install different code than what was reviewed, and that code may run after Terminal has Accessibility access.
The actual `hme` executable and AppleScript automation are fetched from a remote repository and are not included in the provided file manifest, so the reviewed artifacts do not show the code that will drive System Settings.
git clone --depth=1 --quiet "$REPO" "$INSTALL_DIR" cp "$INSTALL_DIR/hme" "$BIN_DIR/hme" cp "$INSTALL_DIR/hide_my_email.applescript" "$BIN_DIR/hide_my_email.applescript"
Inspect the upstream `hme` and AppleScript files before installing, pin the install to a specific audited commit or release, and avoid granting Accessibility access until the runtime code is trusted.
The permission is needed for this UI-automation approach, but it gives broad control to Terminal, not only to this specific command.
Granting Accessibility to Terminal is a broad local privilege that lets terminal-run scripts control the macOS UI, including the iCloud System Settings flow described by the skill.
Then grant Accessibility permissions to Terminal: System Settings → Privacy & Security → Accessibility → add Terminal
Grant Accessibility only if you trust the installed code, run the command manually, and revoke Terminal’s Accessibility permission when you no longer need the tool.
A user who runs the one-liner executes the remote installer in their shell.
The skill documents a remote shell-script install path. This is common for CLI tools, but it executes downloaded code during setup.
command: "curl -fsSL https://raw.githubusercontent.com/manikal/hide-my-email/v1.0.1/install.sh | sh"
Prefer cloning and inspecting the repository first, or download the installer and review it before running it.