ClawHub

Fastmail JMAP

v1.3.1

Give your AI agent email superpowers via Fastmail JMAP. Read, search, send, move, trash — zero deps. By The Agent Wire (theagentwire.ai)

2· 622·0 current·0 all-time
byThe Agent Wire@theagentwire
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, SKILL.md, and the included Python script all align: this is a Fastmail JMAP CLI for reading, searching, sending, and managing mail. The required capability (a Fastmail API token) is consistent with that purpose — however, the registry metadata claims no required environment variables while the SKILL.md and code require FASTMAIL_TOKEN (and optionally FASTMAIL_IDENTITY), which is an inconsistency.
Instruction Scope
The SKILL.md instructions are narrowly scoped to using the Fastmail JMAP API (session and API endpoints) and running the bundled Python script. The instructions do not ask the agent to read unrelated files, system configuration, or contact endpoints outside Fastmail's API. They explicitly advise obtaining a token and limiting sending to explicit approval.
Install Mechanism
No install spec is present (instruction-only + included script). No downloads or external packages are pulled; the script uses only the Python stdlib. This is low-risk from an install perspective.
!
Credentials
The code and SKILL.md require a Fastmail API token (FASTMAIL_TOKEN) and optionally FASTMAIL_IDENTITY, which are reasonable for an email skill. However, the registry metadata lists no required env vars or primary credential — that mismatch is concerning because automated systems that read only registry metadata could fail to surface that a secret token is needed. Also ensure the token is stored/injected securely and that its scopes are limited to Email (read/write) and Email Submission as recommended.
Persistence & Privilege
The skill is not marked always:true and does not request elevated persistent privileges. The default ability for the agent to invoke the skill autonomously is enabled (platform default) but is not combined with other red flags here.
What to consider before installing
This skill's code and documentation clearly implement Fastmail JMAP usage and require a Fastmail API token (FASTMAIL_TOKEN). Before installing: (1) fix the metadata mismatch — confirm the registry entry or the gateway knows FASTMAIL_TOKEN is required; (2) create a token with the minimal scopes (Email read/write and Email Submission) and store it in your secrets manager (do not paste it in plaintext); (3) review the script yourself (it uses only Fastmail endpoints and Python stdlib) and verify you are comfortable granting the token the listed scopes; (4) ensure the agent will ask you before sending email (the docs advise this, but automation can send if invoked programmatically). The mismatch between registry metadata and the SKILL.md/code is the primary reason this is flagged as suspicious — resolving that will materially reduce the concern. If you want higher assurance, request the full (non-truncated) script for review to ensure there are no hidden network calls or unexpected behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk979e1ajtk853vy5sdsmr163zd82egmr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📧 Clawdis

Comments