Email Intelligence
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill lets it inspect email metadata from the configured account, which may include personal or work messages.
The skill depends on an already-configured email account, which means it can act through whatever IMAP access himalaya has.
Requires himalaya CLI configured with IMAP.
Use it only with the intended mailbox, review the himalaya configuration, and prefer the least-privileged/read-only setup available.
Private sender and subject information may appear in the generated report, and subject lines should not be treated as trusted instructions.
The script includes email sender addresses and subject lines in its ghost report output, placing private and potentially untrusted email metadata into the agent/report context.
'senderEmail': sender.get('addr', ''),
'subject': email.get('subject', ''),Keep reports local, redact sensitive senders or subjects before sharing, and treat email-derived text as untrusted content.
Users may not realize before reading the skill instructions that it depends on an external mail CLI and an IMAP-configured account.
The skill documents runtime dependencies that are not reflected in the registry metadata, which lists no required binaries, environment variables, or primary credential.
- **himalaya CLI** configured with IMAP access - Python 3.6+
Declare himalaya, Python, and the email-account dependency in metadata or installation requirements for clearer user review.