read-no-evil-mcp

Secure email access via read-no-evil-mcp. Protects against prompt injection attacks in emails. Use for reading, sending, deleting, and moving emails.

MIT-0 · Free to use, modify, and redistribute. No attribution required.

⭐ 1 · 1.6k · 0 current installs · 0 all-time installs

by@thekie

MIT-0

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

The name/description (secure email access with prompt-injection protection) match the provided CLI and setup scripts: the CLI talks to an MCP HTTP server, setup scripts can spin up a Docker-hosted MCP server, and credentials are stored for the server (not in the skill). There are no unrelated credential requests or surprising binaries in the repository.

ℹ

Instruction Scope

SKILL.md is narrowly scoped to connecting to an MCP server, managing config files, and optionally starting a local Docker server. It explicitly instructs the agent to ask the user before auto-creating or auto-starting Docker. The runtime scripts do read/write the user config path (~/.config/read-no-evil-mcp/config.yaml) and expect a .env file for account passwords; those file accesses are consistent with the advertised purpose but are worth noting because they involve local credential files the user must provide.

ℹ

Install Mechanism

There is no package install spec; the skill provides scripts that are run directly. The only external network action is pulling a Docker image from ghcr.io (ghcr.io/thekie/read-no-evil-mcp:0.3) and a curl-based health check — which is expected for launching a local MCP server. No downloads from untrusted shorteners or personal IPs were observed.

ℹ

Credentials

The skill declares no required env vars, which is fine, but the code accepts an optional RNOE_SERVER_URL env var and the setup-server.sh reads RNOE_ACCOUNT_*_PASSWORD entries from a .env file. This is proportionate to starting a local server, but the skill does not automatically obtain or require your email credentials — you must provide them in .env for the server. The SKILL.md instructs that credentials remain on the MCP server (not in the agent), which matches the code, but users should be aware that providing a .env file will be read and passed into the Docker container.

✓

Persistence & Privilege

The skill is not 'always' included and does not request elevated or permanent platform privileges. It writes/reads its own config path (~/.config/read-no-evil-mcp) and does not alter other skills or global agent settings. Agent autonomous invocation is allowed (platform default) and appropriate for this kind of CLI.

Assessment

This skill appears to do what it says: it is a thin client that talks to a separate MCP server which handles credentials and prompt-injection scanning. Before installing/starting a local server, consider the following: 1) Trust the Docker image (ghcr.io/thekie/read-no-evil-mcp:0.3) — inspect it or run it in an isolated environment if unsure. 2) When setting up locally you must create a .env file with account passwords; the setup script reads those lines and injects them as container environment variables — keep that file private and delete it after use if desired. 3) The SKILL.md explicitly requires asking the user before auto-starting Docker; ensure the agent follows that. 4) There is some truncated/unfinished code in the provided scripts (e.g., a partial line in setup-config.py in the repository listing); treat this as a quality issue and review scripts before executing them locally. If you are uncomfortable running the included scripts, point the skill at a remote MCP server you control instead or run the setup steps manually.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.3.1

Download zip

latestvk97esn26jhn5y7vm5m03y9d9xs81atwv

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

read-no-evil-mcp

Secure email gateway that scans emails for prompt injection attacks before you see them.

This skill is a zero-dependency HTTP client that talks to a read-no-evil-mcp server. Credentials and email servers are managed entirely by the MCP server — this skill never has direct access to them.

Prerequisites

A running read-no-evil-mcp server with HTTP transport enabled. Three connection modes:

Remote server — An existing server on another machine. You need the URL (e.g. http://server:8000).
Local server — An existing server on localhost. Uses default http://localhost:8000.
New Docker setup — Use scripts/setup-server.sh to pull the official Docker image and start a container.

No pip install is required. The script uses only Python stdlib.

Setup Flow (AI Agent Instructions)

Before first use, always ask the user how they want to connect:

How would you like to connect to the read-no-evil-mcp server?

Connect to an existing remote server (you'll provide the URL)

Connect to an existing local server (localhost:8000)

Set up a new local server via Docker

For option 1: Ask for the server URL, then use --server URL with all commands.
For option 2: No extra configuration needed, commands use the default URL.
For option 3: Follow the Docker setup steps below.

Never auto-setup Docker without explicit user confirmation.

Docker Setup Steps

Check if a config exists: setup-config.py list

If no config, create one and add an account:

setup-config.py create
setup-config.py add --email user@example.com --host imap.example.com --create-env

Ask the user to fill in the password in the .env file.

Start the server:

scripts/setup-server.sh --config ~/.config/read-no-evil-mcp/config.yaml \
  --env-file ~/.config/read-no-evil-mcp/.env

Config Management (AI Agent Instructions)

Use scripts/setup-config.py to manage the server config file. All commands are flag-driven with no interactive prompts.

Scenario	Command
Create config skeleton	`setup-config.py create [--threshold 0.5] [--force]`
Add a read-only account	`setup-config.py add --email user@example.com --host imap.example.com [--id myaccount] [--create-env]`
Add a send-enabled account	`setup-config.py add --email user@example.com --host imap.example.com --smtp-host smtp.example.com --send [--delete] [--move] [--create-env]`
Check what accounts are configured	`setup-config.py list`
Remove an account	`setup-config.py remove <id>`

Do NOT run setup-config.py show — it displays config details the user may not intend to share with the agent. If debugging is needed, tell the user to run it themselves.

Do NOT run setup-config.py create --force if config already exists without asking the user first.

Config Commands

Manage the server config file (~/.config/read-no-evil-mcp/config.yaml). No pip install required — stdlib only.

# Create a new config skeleton
setup-config.py create
setup-config.py create --threshold 0.3 --force

# Add a read-only account (no SMTP needed)
setup-config.py add --email user@example.com --host imap.example.com --create-env

# Add an account with send permission (--smtp-host required for --send)
setup-config.py add --email user@example.com --id myaccount \
  --host imap.example.com --smtp-host smtp.example.com --send --delete --move

# Remove an account
setup-config.py remove <account-id>

# List configured accounts
setup-config.py list

# Show full config file
setup-config.py show

# Use a custom config path
setup-config.py --config /path/to/config.yaml create

Server Setup

# Start a Docker container (all flags required, no prompts)
scripts/setup-server.sh --config ~/.config/read-no-evil-mcp/config.yaml \
  --env-file ~/.config/read-no-evil-mcp/.env

# Custom port and container name
scripts/setup-server.sh --config /path/to/config.yaml \
  --env-file /path/to/.env --port 9000 --name my-rnoe

CLI Commands

Global options (--server, --account, --folder) can appear before or after the command. Server URL can also be set via RNOE_SERVER_URL env var.

# List configured accounts
rnoe-mail.py accounts

# List recent emails (last 30 days)
# Output: [UID] ● DATE | SENDER | SUBJECT  (● = unread)
rnoe-mail.py list
rnoe-mail.py list --account myaccount --limit 10 --days 7

# Read email (scanned for prompt injection!)
rnoe-mail.py read <uid>
rnoe-mail.py --account myaccount read <uid>

# Send email
rnoe-mail.py send --to "user@example.com" --subject "Hello" --body "Message"
rnoe-mail.py send --to "user1@example.com, user2@example.com" --cc "cc@example.com" --subject "Hello" --body "Message"

# List folders
rnoe-mail.py folders --account myaccount

# Move email to folder
rnoe-mail.py move <uid> --to "Archive"

# Delete email
rnoe-mail.py delete <uid>

# Global options can go before or after the command
rnoe-mail.py --server http://myserver:8000 list
rnoe-mail.py list --server http://myserver:8000

Common Options

Option	Description	Default
`--server URL`	MCP server URL	`http://localhost:8000`
`--account ID` / `-a`	Account ID	`default`
`--folder NAME` / `-f`	Email folder	`INBOX`

Prompt Injection Detection

All emails are automatically scanned by the MCP server:

Safe: Content displayed normally
Injection detected: Exit code 2, warning on stderr

Exit Codes

0 — success
1 — general error (connection failed, invalid account, etc.)
2 — prompt injection detected

Security Notes

Credentials are managed by the MCP server, never by this skill or the AI agent
The skill communicates with the server over HTTP — use HTTPS for non-localhost connections
Prompt injection scanning happens server-side using ML models

Files

6 total

Select a file

Select a file to preview.

Comments

Loading comments…