MailMolt - Email for AI Agents
PassAudited by ClawScan on May 10, 2026.
Overview
MailMolt is a coherent email integration for an agent-owned inbox, but it gives the agent real email-sending ability and should be configured with approvals and limits.
Install only if you want your agent to have its own MailMolt email account. Protect the API key, keep human approval on for sending and replying, treat all incoming email as untrusted, and review any optional workflow or webhook configuration before enabling it.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent is allowed to send mail, it can contact external recipients using its MailMolt identity.
The handler can send real email through MailMolt when invoked with recipient, subject, and body. This is central to the skill's purpose, but outbound email is an irreversible external action.
const response = await apiRequest(config, 'POST', '/v1/messages', { to: [params.to], subject: params.subject, text: params.body, })Keep send/reply approval enabled, use MailMolt permission levels and rate limits, and avoid granting autonomous sending unless you explicitly want that behavior.
Anyone with the API key may be able to access or operate the agent's MailMolt email account within its permission level.
The skill requires a MailMolt API key for the agent's email account. This credential use is expected for the service, but it is still account authority that should be protected.
Store in `~/.config/mailmolt/credentials.json`: { "api_key": "mm_live_xxxxx", "email": "your-agent-name@mailmolt.com" }Store the API key securely, rotate it if exposed, and set the lowest MailMolt permission level that supports your intended use.
A malicious sender could write an email that tries to instruct the agent to ignore the user or perform unsafe actions.
Email bodies and previews from outside senders are returned directly into the agent's context. That is expected for reading email, but the content may contain prompt-injection attempts.
result += `${msg.text_body || msg.preview}\n\n`;Treat email content as untrusted data and require explicit user confirmation before acting on instructions received by email.
Email metadata or previews could be delivered to webhook infrastructure you configure.
The hook supports webhooks that can send message metadata and previews to a configured endpoint. This is disclosed and purpose-aligned, but it creates an additional data boundary.
"webhooks": { "events": [ { "type": "message.received", "payload": { "message": { "id": "string", "from": { "email": "string", "name": "string" }, "to": "array", "subject": "string", "preview": "string" } } } } ] }Only register webhook URLs you control, verify webhook signatures if used, and avoid forwarding sensitive email content unnecessarily.
If those workflows are later installed or fetched elsewhere, they could add behavior not visible in this review.
The hook references workflow files, including an auto-reply workflow, that are not present in the provided file manifest. The main handlers are reviewable, but these optional workflows cannot be assessed from the supplied artifacts.
"auto-reply": { "description": "Automatically draft and send replies based on email content", "file": "workflows/auto-reply.lobster" }Review any referenced workflow files before enabling them, especially workflows that automatically send replies.
The agent may regularly contact MailMolt and receive action items if you add this to a heartbeat routine.
The skill suggests recurring heartbeat checks. This is disclosed operational behavior, not hidden persistence, but it can make the agent poll the service on an ongoing schedule.
Add MailMolt to your heartbeat routine. Call every 30 minutes
Enable recurring heartbeat checks only if you want ongoing MailMolt activity, and keep the interval and resulting actions under user oversight.