ClawHub

AgentCloak - Email Proxy that filters PII, 2FA, and password resets

Secure email proxy for AI agents. Search, read, and draft emails via MCP with server-side credential isolation, PII redaction, prompt injection detection, an...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 433 · 2 current installs · 2 all-time installs
by@ryanfren
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description, required binary (mcporter), and the single required env var (AGENTCLOAK_API_KEY) are consistent with an MCP-based email proxy. The advertised capabilities (search, read, draft, filtering pipeline) map to the provided mcporter call examples. Minor inconsistency: the SKILL.md shows an optional AGENTCLOAK_URL env var in self-hosting instructions but AGENTCLOAK_URL is not listed in requires.env.
Instruction Scope
SKILL.md only instructs the agent/operator to configure mcporter and call AgentCloak endpoints; it does not tell the agent to read unrelated files, access other credentials, or exfiltrate data. Self-hosting instructions include git/pnpm commands for humans to run, but there is no runtime instruction for the agent to execute those. The trust statement at the end is truncated, so some privacy claims cannot be validated from this text alone.
Install Mechanism
There is no install spec and no code files in the skill bundle (instruction-only), so nothing will be downloaded or written by the skill itself. Self-host instructions point to a GitHub repo and standard Node/pnpm tooling, but that only applies if you choose to self-host.
Credentials
The only required credential is AGENTCLOAK_API_KEY (declared as primary), which is appropriate for a proxy service. The documentation references AGENTCLOAK_URL for self-host setups but does not declare it as required; that's a small documentation gap. The larger privacy/security consideration is operational: using the hosted service means you must trust that server with your email credentials and content.
Persistence & Privilege
always is false and the skill is user-invocable. It does not request system-level persistence or permissions beyond a single API key and use of mcporter, and it does not modify other skills' configs.
Assessment
This skill appears internally consistent for an email-proxy: it only needs an API key and the mcporter client to talk to AgentCloak. The main risk is trust: the hosted service must store your email credentials and will see (and filter) your messages. If you care about sensitive accounts, self-host instead and audit the GitHub repo before running it. Verify the mcporter binary you install is the legitimate tool referenced by your platform. Don’t assume the short privacy claims (e.g., 'API keys are hashed') are true without checking the repo or running a security review of the server code. If you proceed with the hosted option, consider testing with a low-risk account first and review the full source and privacy policy on the linked GitHub page.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97erkkeybsdhbdcs05q2tnn9x81ffpd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🛡️ Clawdis
Binsmcporter
EnvAGENTCLOAK_API_KEY
Primary envAGENTCLOAK_API_KEY

SKILL.md

AgentCloak

Secure email proxy for AI agents. AgentCloak sits between your agent and your email, so the agent gets useful email access without seeing credentials, sensitive financial data, PII, or prompt injection attacks.

Every other email skill on ClawHub gives your agent raw, unfiltered access to your inbox. AgentCloak is the only one with a built-in security pipeline.

What makes this different

  • Credential isolation — your email password/OAuth tokens stay server-side; the agent only has an API key
  • 4-stage content filter — blocklist, HTML sanitizer, PII redaction, prompt injection detection
  • Read + draft only — agents can search, read, list, and draft emails but cannot send, delete, or modify anything
  • Draft safety — drafts are never sent automatically; you review them first
  • Self-host or hosted — run your own instance or use the hosted version

Setup

Option A: Hosted version (quickest)

  1. Sign up at https://agentcloak.up.railway.app
  2. Connect your email (IMAP works with any provider, Gmail OAuth available by invite)
  3. Create an API key in the dashboard
  4. Configure:
export AGENTCLOAK_API_KEY=ac_your_key_here
mcporter config add agentcloak \
  --baseUrl "https://agentcloak.up.railway.app/mcp" \
  --header "Authorization: Bearer $AGENTCLOAK_API_KEY"

Option B: Self-hosted

  1. Clone and run:
git clone https://github.com/ryanfren/AgentCloak.git
cd agentcloak
pnpm install && pnpm build && pnpm dev
  1. Open http://localhost:3000, create an account, connect email, create API key
  2. Configure:
export AGENTCLOAK_URL=http://localhost:3000
export AGENTCLOAK_API_KEY=ac_your_key_here
mcporter config add agentcloak \
  --baseUrl "${AGENTCLOAK_URL}/mcp" \
  --header "Authorization: Bearer $AGENTCLOAK_API_KEY"

Requirements for self-hosting: Node.js 20+, pnpm 10+

Available tools

ToolDescriptionKey parameters
search_emailsSearch emails with Gmail-style queriesquery, max_results (1-200), page_token
read_emailRead full email content by IDmessage_id
list_threadsList conversation threadsquery, max_results, page_token
get_threadRead all messages in a threadthread_id
create_draftCreate a draft (not sent)to, subject, body, in_reply_to_thread_id
list_draftsList existing draftsmax_results
list_labelsList all labels with unread counts(none)
get_provider_infoGet provider type and capabilities(none)

Usage examples

# Search for unread emails
mcporter call agentcloak.search_emails query:"is:unread" max_results:10

# Read a specific email
mcporter call agentcloak.read_email message_id:"abc123"

# Get a full conversation thread
mcporter call agentcloak.get_thread thread_id:"thread456"

# Draft a reply (not sent until you review it)
mcporter call agentcloak.create_draft subject:"Re: Meeting" body:"Sounds good, see you Thursday." in_reply_to_thread_id:"thread456"

# List labels and unread counts
mcporter call agentcloak.list_labels

Security pipeline

Every email passes through a 4-stage filter before the agent sees it. Each stage is independently configurable from the dashboard.

Stage 1: Blocklist

Blocks emails from sensitive senders outright. Three toggleable categories:

  • Financial — 40+ domains (Chase, PayPal, Venmo, Coinbase, etc.)
  • Security senders — patterns like security@, fraud@, alerts@, .gov addresses
  • Security subjects — password resets, 2FA codes, verification links, login alerts

Plus custom blocklists: add your own domains, sender patterns, or subject patterns.

Stage 2: HTML sanitizer

Converts HTML email to plaintext and strips dangerous Unicode (zero-width characters, bidirectional overrides, tag characters, variation selectors) that could be used to hide prompt injection.

Stage 3: PII redaction

Redacts sensitive patterns with placeholders:

  • SSNs, credit card numbers, bank account/routing numbers
  • API keys (sk_, pk_, AWS keys), bearer tokens, PEM private keys
  • Optionally: email addresses, large dollar amounts

Stage 4: Prompt injection detection

Scans for 19 known injection patterns (instruction overrides, role reassignments, system tag injections, data exfiltration attempts). Flags detected content with a [AGENTCLOAK WARNING] prefix so the agent knows the email may be adversarial. Does not block — lets the agent make an informed decision.

Security and privacy

What data leaves your machine:

ScenarioData flow
Self-hostedNothing leaves your machine. All processing is local.
Hosted versionYour email credentials are stored server-side (encrypted). Email content passes through the hosted server's filter pipeline. No data is shared with third parties.
  • API keys are hashed (SHA-256) before storage — the server cannot recover your key after creation
  • Email credentials are stored server-side; the agent never sees them
  • All filtering happens server-side before content reaches the agent
  • The agent can only read and draft — it cannot send, delete, or modify emails
  • Source code is open: https://github.com/ryanfren/AgentCloak

Trust statement: By using the hosted version, you trust the AgentCloak server with access to your email account credentials and content. If this is not acceptable, self-host your own instance for full control.

Email providers

AgentCloak supports three connection methods:

  • IMAP — works with any email provider (Gmail, Outlook, ProtonMail Bridge, Fastmail, etc.)
  • Gmail OAuth — direct API access (currently invite-only during beta)
  • Gmail Apps Script — manual setup via script.google.com, no Google Cloud project needed

Limitations

  • Read and draft only — no send, delete, or modify
  • Gmail search syntax only (even for IMAP connections, queries are translated)
  • Attachment content is not accessible (metadata can optionally be shown)
  • Gmail OAuth is invite-only during beta; IMAP and Apps Script are open to all
  • Hosted version is in beta

Links

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…