Fastmail Jmap.Disabled
WarnAudited by ClawScan on May 10, 2026.
Overview
This looks like a real Fastmail email tool, but it asks for broad mailbox/send authority while registry metadata under-declares that access and the package identity/capabilities are inconsistent.
Install only if you intentionally want this agent to have broad Fastmail access. Prefer a dedicated, least-privileged token, verify the publisher/version mismatch is resolved, document or remove the contacts helper, and require confirmation before sending, trashing, or moving email.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed with the requested token, the agent can read/search your mailbox, send mail, and change email state such as moving or trashing messages.
The skill requires a Fastmail API token with authority to read, modify, and send email. The registry metadata supplied for the skill says required env vars and primary credential are none, so this high-impact permission boundary is under-declared outside the README.
Scopes: Email (read/write) + Email Submission (send) ... export FASTMAIL_TOKEN="fmu1-..."
Declare the Fastmail token as a primary credential in metadata, use the least-privileged token possible, and require explicit user approval for send/delete/move operations.
If the token includes Contacts scope, the agent could retrieve address-book details beyond ordinary email management.
The package includes a contacts-access CLI requiring Contacts scope, while the visible top-level description and command list focus on email operations. Contacts can include private phone numbers, addresses, and notes.
Fastmail JMAP Contacts CLI — search and read contacts. ... Env: FASTMAIL_TOKEN (API token with Contacts scope)
Either remove the contacts helper or clearly document it in SKILL.md and metadata, including the Contacts scope and what contact fields may be returned.
It is harder to know exactly which publisher/version you are trusting before giving the skill access to your email account.
This conflicts with the submitted registry metadata identifying owner kn750bx66hyza0dw0yxwjat3t181xapp, slug fastmail-jmap-disabled, and version 1.0.0. That mismatch creates a provenance and version-tracking gap.
"ownerId": "kn7fqhc36bye71613wpewknkbx81k1mh", "slug": "fastmail-jmap", "version": "1.3.0"
Resolve the registry/_meta identity mismatch and publish from a verifiable source before users provide credentials.
An agent using these commands can change mailbox state; mistakes could file, hide, mark, or trash messages.
The skill documents high-impact email mutation and sending commands. It gives explicit approval guidance for sending, but not for move/trash/mark-read operations.
`send <to> <subject> <body>` | Send an email | ... `move <email-id> <mailbox-name>` ... `trash <email-id>` ... Always ask before sending. Never send without approval.
Keep send approval mandatory and add similar confirmation guidance for trashing, moving, or bulk-changing messages.
A malicious or misleading email could try to influence the agent if the agent treats email text as instructions instead of data.
The script returns email body content into the agent/user context. That is expected for an email reader, but mailbox content is untrusted input and may contain instructions aimed at the agent.
"fetchTextBodyValues": True, "fetchHTMLBodyValues": True ... print(body_text[:5000] if body_text else " (no body)")
Treat email bodies as untrusted content; summarize them as data and do not follow instructions embedded in emails unless the user explicitly confirms.
If enabled in a recurring workflow, the agent may periodically inspect unread mail and surface summaries.
The artifact suggests an optional recurring email-check workflow. It does not install persistence itself, but users should understand that configuring this would repeatedly access their mailbox.
### In heartbeat/cron: ... Run: `python3 scripts/fastmail.py unread` ... If urgent/actionable emails found, summarize and alert.
Only enable heartbeat/cron checking intentionally, set a clear frequency, and limit what email content may be summarized or alerted.