IMAP Email Reader
WarnAudited by ClawScan on May 10, 2026.
Overview
The IMAP email reader is mostly purpose-aligned, but it handles sensitive mailbox credentials and includes risky documentation for automatically forwarding email summaries to a hardcoded iMessage number.
Install only if you are comfortable giving the agent access to your email. Replace any cron delivery recipient with your own address or number, avoid copying the hardcoded iMessage example, and confirm that .env is actually excluded from version control before entering credentials.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent using this skill with the configured credentials can read email and change read/unread state.
The skill authenticates to the user's IMAP account using local environment credentials. This is expected for an email reader, but it grants access to private mailbox data.
user: process.env.IMAP_USER, password: process.env.IMAP_PASS
Use app-specific or Bridge-generated passwords, limit mailbox access where possible, and only install this for agents you trust with your email.
An agent could mark important messages as read or unread if given broad instructions.
The skill can mutate mailbox state by marking messages read or unread. This is disclosed and aligned with the skill purpose, but it is still a user-visible account change.
await connection.addFlags(uids, '\\Seen'); ... await connection.delFlags(uids, '\\Seen');
Require explicit user approval before changing message flags, especially for bulk UID lists.
A malicious email could try to influence the agent while it summarizes or processes messages.
Fetched email bodies are returned to the agent. Email is untrusted content and may contain instructions attempting to manipulate the agent.
text: parsed.text, html: parsed.html
Treat email bodies as data, not instructions; the agent should ignore commands embedded inside emails.
Installing the skill requires trusting the listed npm packages and their transitive dependencies.
The skill depends on third-party npm packages, which is expected for IMAP and mail parsing. A package-lock is present, reducing but not eliminating supply-chain risk.
"dependencies": {
"imap-simple": "^5.1.0",
"mailparser": "^3.7.1",
"dotenv": "^16.4.7"
}Install from the included lockfile, keep dependencies updated, and review dependency changes before upgrading.
If copied as written, private email summaries could be sent on a schedule to a phone number that may not belong to the user.
The documented cron workflow automatically summarizes email and delivers it to an iMessage destination with a hardcoded phone number, creating an unclear external data boundary.
clawdbot cron add ... --message "Check for new ProtonMail emails and summarize them" --deliver --channel imessage --to "+15085600825"
Remove the hardcoded recipient, require the user to choose their own destination, and make recurring delivery opt-in with clear review and cleanup instructions.
Users may believe their email password file is protected from accidental commits when the reviewed package does not show that protection.
The supplied file manifest does not include a .gitignore or .env.example, while setup.sh writes IMAP_PASS into .env. The documentation therefore makes a credential-safety claim not backed by the provided artifacts.
The `.env` file is automatically ignored by git ... It's already in `.gitignore`
Include a .gitignore that excludes .env, provide .env.example, consider chmod 600 for .env, and correct the registry metadata to declare the credential requirement.