imapflow
ReviewAudited by ClawScan on May 11, 2026.
Overview
This is a coherent instruction-only IMAP/email integration reference, but using it can expose or modify email account data, so credentials and destructive mail actions need care.
Use this skill only if you intend to let the agent help with IMAP email code. Keep mailbox credentials out of source code and logs, fetch the smallest needed set of messages, require confirmation before any delete/move/expunge/mailbox changes, and verify the external `imapflow` package before running generated code.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using the generated examples may give the agent or code access to read and manage an email account.
The skill shows use of mailbox credentials or OAuth tokens. That is expected for IMAP, but it grants access to an email account and should be handled as sensitive authority.
auth: {
user: 'user@gmail.com',
accessToken: 'ya29.xxxx' // OAuth2 access token
}Use app-specific passwords or scoped OAuth tokens where possible, store secrets outside code, avoid logging them, and revoke credentials when no longer needed.
Private email bodies, headers, senders, subjects, or attachments could be exposed if broad examples are run or copied into logging workflows.
The examples retrieve full email source and iterate broad mailbox ranges, which can place sensitive email contents or metadata into logs, console output, or agent context.
let msg = await client.fetchOne(client.mailbox.exists, { source: true });
console.log(msg.source.toString());
// Stream all messages
for await (let msg of client.fetch('1:*', { envelope: true }))Fetch only the fields and message ranges needed, avoid printing full message source, redact sensitive content, and be careful before sharing logs or agent transcripts.
If an agent or generated script uses these methods on the wrong range or mailbox, messages could be moved, expunged, or deleted.
The API reference includes destructive mail operations. They are consistent with an IMAP library reference, but misuse could delete email or mailboxes.
`messageDelete(range, [options])` | Delete messages (\\Deleted + expunge) `mailboxDelete(path)` | Delete mailbox
Require explicit user confirmation for delete, expunge, move, flag-change, append, or mailbox-management actions, and prefer UID-scoped operations with previews.
Users may need to choose and install the actual Node.js package themselves, so package provenance and version are outside this skill's reviewed artifacts.
The skill itself does not install code, but the reviewed metadata does not identify a source or homepage, and examples depend on an external library that users should verify separately.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Verify the npm package name, maintainer, version, and lockfile in your project before running generated code that imports `imapflow`.