ClawHub

Imap Idle Review

v1.4.0

Event-driven email monitoring using IMAP IDLE protocol. Replaces polling with instant push notifications via OpenClaw webhooks. Use when setting up email monitoring, replacing hourly email checks, or implementing event-driven email processing. Monitors multiple IMAP accounts, triggers webhooks on new mail, zero tokens while waiting.

3· 1.6k·2 current·2 all-time
byJake@topitip
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with included code: listener connects to IMAP servers, enters IDLE, and posts events to a configured webhook. Required packages (imapclient, optional keyring) and config paths (~/.openclaw/imap-idle.json, ~/.openclaw/openclaw.json) are consistent with the stated purpose.
Instruction Scope
SKILL.md instructions are generally scoped to configuring IMAP accounts, keyring, and OpenClaw webhooks and starting the listener. Two issues to note: 1) The docs/commands refer to an `imap-idle` CLI wrapper (./imap-idle start, imap-idle setup) but the shipped files appear to be Python scripts under scripts/ (listener.py, setup.py) — there is no obvious top-level `imap-idle` wrapper included. 2) An older file (scripts/listener_old.py) contains personalized hardcoded checks (e.g., account == 'a.parmeev@jakeberrimor.com' and '@arkasha-ai' patterns); while the newer listener.py appears to have generalized that behavior, the presence of listener_old.py is a leftover that should be inspected or removed.
Install Mechanism
No remote install actions are declared by the registry entry (instruction-only). Dependencies are standard Python packages installed with pip per the instructions. No downloads from untrusted URLs inside the skill bundle. The README suggests a GitHub release URL for an external .skill package, but the skill as delivered contains code files (no automatic installer), so be cautious if you follow external download instructions.
Credentials
The skill requests no environment variables or unrelated credentials. It stores credentials in a local config (~/.openclaw/imap-idle.json) or optionally in the OS keyring, which is appropriate for the task. The webhook token is a necessary secret for authenticating to your OpenClaw gateway; nothing in the package asks for unrelated cloud credentials or excessive secrets.
Persistence & Privilege
The skill is not always-enabled and is user-invocable. It optionally advises creating a systemd service for persistence, which is normal for a background listener. It does not request special platform privileges or attempt to modify other skills' configs in the provided code.
What to consider before installing
This skill appears to implement IMAP IDLE → webhook behavior as described, but review before installing: - Verify webhook_url points to your own OpenClaw gateway (default is localhost). If you set the webhook to a remote service it will receive your email metadata — that is expected behavior but must be intentional. - Inspect the included Python files yourself (scripts/listener.py, scripts/setup.py). The older file scripts/listener_old.py contains personalized logic (hardcoded account and mention checks) and should be removed or audited; leftover code can be a maintenance / privacy risk. - The docs reference an `imap-idle` CLI wrapper (./imap-idle start) which is not obviously present in the shipped files; confirm how the skill is expected to be launched on your system (use scripts/listener.py directly or create your own wrapper). - Prefer OS keyring on desktops; for headless servers follow the SECURITY.md advice: chmod 600 on config, run as a dedicated non-root user, limit network egress, and use disk encryption or secrets management for containers. - Test in an isolated environment or non-production account first. Ensure logs and config files are restricted (600) and monitor network traffic if you want to verify there are no unexpected outbound endpoints. If you want, I can point out the exact lines in the files that reference the hardcoded account/mention logic, and suggest minimal edits to remove or sanitize leftovers.

Like a lobster shell, security has layers — review code before you run it.

latestvk971ejx00b2jp07n8xcxtzpfw980zq1z

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments