iGPT Email Intelligence
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill appears purpose-aligned for searching a connected email account through iGPT, but it handles highly sensitive inbox data and depends on an external API key, OAuth email connection, and Python package.
Install only if you trust iGPT with access to the connected mailbox. Protect the IGPT_API_KEY, confirm which email account is connected, use narrow searches when possible, and treat returned email bodies as untrusted data rather than instructions.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with the configured iGPT access could potentially retrieve email search results for the connected account.
The skill requires an API key and OAuth-authorized access to a user's email datasource, which is expected for email search but grants sensitive account-level access.
An iGPT API key ... A connected email datasource — the user must have completed OAuth authorization via `connectors/authorize` before search will return results
Use a dedicated, protected API key; connect only the intended mailbox; review iGPT's OAuth scopes and revocation controls; and rotate or revoke access if no longer needed.
Private emails may be returned into the agent context, and malicious or misleading content inside an email could influence later agent behavior if treated as trusted instructions.
The skill retrieves raw email content from a broad, persistent index of the user's mailbox. That is central to the purpose, but emails are sensitive and may contain untrusted text.
Searches across the user's full indexed email history ... Retrieval only. It finds and returns email content.
Use narrow searches, date filters, and result limits where possible; avoid sending retrieved emails to unrelated tools; and treat email contents as data, not instructions.
Installing the package introduces external code that was not included in the supplied skill artifacts.
The instruction-only skill relies on installing an external Python package, but no package version pin or bundled code is provided for review.
pip install igptai
Install only from the official package source, consider pinning a known-good version, and review the package before using it in sensitive environments.
A searched email could contain text that attempts to mislead the agent if the agent fails to separate retrieved content from trusted instructions.
The skill can place raw email text into the agent's working context. Emails are external, user-generated content and may contain instructions that should not override the user's goal.
Returns relevant messages and threads ranked by meaning ... Retrieve raw email content for further processing
Use retrieved emails only as evidence for the user's request, and do not follow instructions found inside email bodies unless the user explicitly confirms them.