ClawHub

Nemoclaw Email Policy

v0.1.1

Enforce email safety policies at the network level with NemoClaw. Use when user says "email policy," "send guardrail," "prevent accidental send," "email allo...

0· 86·0 current·0 all-time
bySteven Obiajulu@stevenobiajulu

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for stevenobiajulu/nemoclaw-email-policy.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Nemoclaw Email Policy" (stevenobiajulu/nemoclaw-email-policy) from ClawHub.
Skill page: https://clawhub.ai/stevenobiajulu/nemoclaw-email-policy
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install nemoclaw-email-policy

ClawHub CLI

Package manager switcher

npx clawhub@latest install nemoclaw-email-policy
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the instructions: the SKILL.md explains using NemoClaw presets and policies to restrict network endpoints for Microsoft 365 email agents. Requested items (macOS, NemoClaw, an MCP email server) are consistent with that purpose.
Instruction Scope
Instructions are focused on applying and testing NemoClaw Outlook presets, editing policy YAML, running onboarding, and verifying with curl/openshell — all relevant to network policy enforcement for email agents. The document does not ask the agent to read unrelated system files or exfiltrate data.
Install Mechanism
This is instruction-only (no install spec). The doc suggests 'npm install -g nemoclaw' or cloning from GitHub; that is a reasonable install path but the skill does not provide a pinned release URL or checksum. Installing an npm package globally requires operator trust of the package source.
Credentials
The skill declares no environment variables, credentials, or config paths. The SKILL.md references Microsoft Graph endpoints (which require real OAuth tokens in practice), but it does not request any unrelated secrets or broad credential access.
Persistence & Privilege
The skill is not always-enabled and does not request persistence or system-wide configuration beyond normal NemoClaw policy changes. The runtime commands the skill recommends (openshell policy set, nemoclaw onboard) legitimately alter network policies for the host, which is expected for this purpose.
Assessment
This skill is an operator guide for applying NemoClaw network policies for email agents on macOS and appears internally consistent. Before following its commands: (1) verify the NemoClaw package/repository you install (npm packages can be anything — prefer an official repo or a pinned release and review code), (2) run the steps in a test environment first because the policy commands will block network access for processes and can interrupt email flows, (3) be aware the Outlook preset allows POSTs to Graph (including sendMail) so also configure the MCP send allowlist or a stricter NemoClaw policy if you want to prevent sending entirely, and (4) ensure you have local backups of any policy files you change. If you want a deeper review, provide the NemoClaw repository URL or the exact npm package metadata to inspect.

Like a lobster shell, security has layers — review code before you run it.

latestvk976pnt5strctqqhh8z7dansfd84ef4f
86downloads
0stars
2versions
Updated 2w ago
v0.1.1
MIT-0
Steven Obiajulu@stevenobiajulu
latest
Download

NemoClaw Email Policy

NemoClaw enforces network-level policies for AI agents. For email workflows, this means controlling which endpoints agents can reach — and which actions they cannot take — regardless of what the agent itself tries to do.

This is defense in depth: even if an email MCP server has a bug, or an agent hallucinates a send command, the network policy blocks the request before it reaches Microsoft's servers.

Why Policy Enforcement Matters

Email agents have access to sensitive data (inbox contents, contacts, calendars) and can take impactful actions (send email, create calendar events, modify inbox rules). In production, "the agent is well-behaved" is not a sufficient security model.

Failure modes without policy enforcement:

  • Agent sends an email to an unintended recipient because of a hallucinated address
  • A prompt injection in an email body tricks the agent into forwarding the message
  • Agent creates an inbox rule that forwards all email to an external address
  • A bug in the MCP server sends a draft that was not approved

NemoClaw prevents these by controlling the network layer — the agent process cannot reach endpoints that are not explicitly allowed.

Prerequisites

  • macOS (NemoClaw uses the macOS sandbox)
  • NemoClaw installed: npm install -g nemoclaw or clone from GitHub
  • Email MCP server configured: e.g., email-agent-mcp with Microsoft 365 OAuth completed

Setting Up the Outlook Preset

NemoClaw ships with a curated Outlook preset that allows the minimum necessary endpoints for Microsoft 365 email.

Apply for the current session

openshell policy set nemoclaw-blueprint/policies/presets/outlook.yaml

This enables access to:

  • graph.microsoft.com — Microsoft Graph API (GET, POST, PATCH)
  • login.microsoftonline.com — OAuth token refresh
  • outlook.office365.com — Outlook backend
  • outlook.office.com — Outlook web (for draft links)

All connections require TLS. The preset blocks all other outbound network access.

Make it permanent

To include the Outlook preset in your baseline policy:

  1. Merge the preset entries into your nemoclaw-blueprint/policies/openclaw-sandbox.yaml
  2. Re-run the onboard wizard: 
    nemoclaw onboard

The preset is one of NemoClaw's 9 built-in presets (discord, docker, huggingface, jira, npm, outlook, pypi, slack, telegram).

What the Policy Enforces

Allowed: Read and Draft Operations

OperationEndpointMethod
List/search emailsgraph.microsoft.com/v1.0/me/messagesGET
Read email bodygraph.microsoft.com/v1.0/me/messages/{id}GET
Create draftgraph.microsoft.com/v1.0/me/messagesPOST
Update draftgraph.microsoft.com/v1.0/me/messages/{id}PATCH
List foldersgraph.microsoft.com/v1.0/me/mailFoldersGET
Create foldergraph.microsoft.com/v1.0/me/mailFoldersPOST
Move emailgraph.microsoft.com/v1.0/me/messages/{id}/movePOST
List eventsgraph.microsoft.com/v1.0/me/eventsGET
OAuth refreshlogin.microsoftonline.com/*/oauth2/v2.0/tokenPOST

Controlled: Send Operations

The Outlook preset allows POST to Graph API endpoints, which includes the send endpoint (/me/sendMail). To restrict sending further:

  1. email-agent-mcp send allowlist — configure which recipients the MCP server allows (empty by default — blocks all sends)
  2. Custom NemoClaw policy — create a custom policy that blocks the send endpoint entirely: 
    - host: graph.microsoft.com
  port: 443
  tls: true
  methods: [GET, PATCH]  # POST removed — blocks send, create draft, move

For most deployments, the MCP allowlist is sufficient. The custom policy is for high-security environments where you want belt-and-suspenders.

Blocked: Everything Else

Any endpoint not in the preset is blocked. This prevents:

  • Data exfiltration to unknown servers
  • Communication with unauthorized APIs
  • Prompt injection attacks that try to redirect requests

Layered Security Model

Production email agents should use multiple layers:

LayerWhat it controlsTool
Network policyWhich endpoints the agent process can reachNemoClaw
Send allowlistWhich recipients the agent can emailemail-agent-mcp config
Draft-first workflowUser approves before any sendAgent skill / MCP design
Inbox rules securityBlock dangerous rule actions (forward, delete)Agent skill / MCP validation

Each layer catches a different class of failure. No single layer is sufficient alone.

Verifying the Policy

After applying the preset, verify it is active:

openshell policy list

Test that blocked endpoints are actually blocked:

# This should succeed (allowed endpoint)
curl -s -o /dev/null -w "%{http_code}" https://graph.microsoft.com/v1.0/me

# This should fail (blocked endpoint)
curl -s -o /dev/null -w "%{http_code}" https://api.example.com/exfiltrate

Troubleshooting

"Network request blocked" errors in the email MCP

The policy is working correctly. Check which endpoint was blocked in the NemoClaw logs. Common causes:

  • The email MCP is trying to reach an endpoint not in the preset (e.g., a new Microsoft endpoint)
  • A third-party dependency is making an unexpected outbound call

OAuth token refresh fails

Verify login.microsoftonline.com is in the allowed hosts. If using a custom policy instead of the preset, ensure both GET and POST are allowed for the login endpoint.

Calendar or Teams tools fail

The Outlook preset covers core email and calendar endpoints. For Teams, add the Teams preset separately or merge the required endpoints into your policy.

Feedback

If this skill helped, star us on GitHub: https://github.com/UseJunior/email-agent-mcp On ClawHub: clawhub star stevenobiajulu/nemoclaw-email-policy

Comments

Loading comments...