Fastmail Suite
v0.1.4Secure, safe-by-default Fastmail integration (email, contacts, calendar) via JMAP + CalDAV. Use when you want to verify Fastmail setup, triage/search email,...
⭐ 0· 326·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (Fastmail JMAP + CalDAV email/contacts/calendar tooling) matches the code and runtime instructions: the scripts talk to api.fastmail.com and caldav.fastmail.com, require Fastmail tokens/app-passwords, and implement read and optional write operations. No unrelated hostnames, cloud providers, or unrelated credentials are requested. One minor inconsistency: the registry metadata at the top lists no required environment variables, while SKILL.md and the code clearly require FASTMAIL_TOKEN (and optional FASTMAIL_TOKEN_SEND, FASTMAIL_CALDAV_* etc.).
Instruction Scope
SKILL.md instructs the agent/user to set Fastmail-specific env vars and run the included scripts; the scripts only access Fastmail endpoints and a small set of environment variables (tokens, redaction, base URLs, optional identity/account overrides). The instructions do not direct the agent to read arbitrary files, other credentials, or to transmit data to non-Fastmail endpoints. The wrapper uses subprocess to invoke bundled scripts (expected).
Install Mechanism
There is no install spec and the bundle is instruction/script-only (stdlib-only Python). No remote downloads, package installs, or archive extraction occur. The code is local and readable; nothing is fetched from unknown servers at install time.
Credentials
The environment variables the skill uses are proportional to its purpose: FASTMAIL_TOKEN for JMAP reads, FASTMAIL_TOKEN_SEND for submissions, FASTMAIL_CALDAV_USER/PASS for CalDAV, and flags for redaction/writes. Notes: (1) SKILL.md documents most of these, but the registry metadata did not declare required env vars — this discrepancy should be resolved before trusting automated installs. (2) The code reads a few additional optional envs (FASTMAIL_MAX_BODY_BYTES, FASTMAIL_BASE_URL, FASTMAIL_ACCOUNT_ID, FASTMAIL_IDENTITY_ID/EMAIL) that are reasonable for advanced configuration but are not listed in the top env table; they are optional and not sensitive beyond the tokens themselves.
Persistence & Privilege
The skill does not request permanent/system-level presence (always:false) and does not modify other skills or system-wide configuration. Autonomous invocation is allowed (platform default) but that is appropriate for a user-invocable integration. No evidence of privilege escalation or attempts to persist tokens beyond using the environment variables passed at runtime.
Assessment
This skill is coherent with its stated purpose: it talks only to Fastmail endpoints and needs Fastmail tokens/app-passwords. Before installing: (1) Prefer creating and supplying a read-only JMAP token (FASTMAIL_TOKEN) — avoid giving a full-equals-send token unless you explicitly enable writes. (2) Be cautious with FASTMAIL_ENABLE_WRITES=1 and FASTMAIL_TOKEN_SEND; only enable when you intend to perform sends/edits. (3) Note the metadata mismatch: the registry entry omitted required env vars while SKILL.md documents them; verify the SKILL.md is authentic and that you supply tokens only via secure channels. (4) Optionally audit the included Python files yourself (they are stdlib-only and readable) and run the scripts in an isolated environment if you are concerned. (5) If you need higher assurance, ask the author to update registry metadata to list required env vars and provide a homepage/source link for verification.Like a lobster shell, security has layers — review code before you run it.
latestvk97d7mf857bpy29hz4mfek29xs820a7p
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📧 Clawdis