Imap Idle Review
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill matches its email-monitoring purpose, but it deserves review because it runs persistently, handles mailbox and webhook credentials, and forwards untrusted email snippets into an agent webhook.
Install only if you are comfortable giving the skill access to the monitored mailboxes and your OpenClaw webhook token. Prefer keyring storage, chmod 600 on the config file, keep the webhook local/trusted, and configure OpenClaw to treat all email content as untrusted before taking actions.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Someone who can email a monitored inbox may be able to place instructions in text that the agent receives, potentially steering downstream agent behavior if the main session treats the email as a prompt.
The listener includes email subject/body preview text in a webhook payload that wakes OpenClaw immediately. Email content is controlled by external senders and can contain instructions.
return f"{notification_type['icon']} GitHub: {notification_type['action']}\n{subject}\n\n{body_preview[:500]}" ... payload = { "text": text, "mode": "now" }Treat all email fields as untrusted data. Label or sanitize webhook text, consider metadata-only notifications, and require human approval before any agent action triggered by an email.
A local user or process with access to the config file could obtain mailbox credentials or the token used to wake the OpenClaw gateway.
If keyring is unavailable or declined, the setup stores the IMAP password in config; the webhook token is also stored there. The setup writes the file but does not show an explicit chmod to restrict permissions.
account['password'] = password ... "webhook_token": webhook_token ... with open(config_path, 'w') as f: json.dump(config, f, indent=2)
Use keyring where possible, set the config file to mode 600, use app-specific or least-privilege mail credentials, and rotate the OpenClaw webhook token if it may have been exposed.
If the webhook URL is misconfigured or changed to an untrusted endpoint, email snippets and the webhook authorization token could be sent outside the intended local gateway.
The skill sends email summaries to a configured webhook with a bearer token. The default documented URL is localhost, and this is purpose-aligned, but the destination is configurable.
headers = { "Authorization": f"Bearer {self.webhook_token}", "Content-Type": "application/json" } ... urllib.request.Request(self.webhook_url, data=json.dumps(payload).encode('utf-8'), headers=headers, method='POST')Verify the webhook URL points to your own OpenClaw gateway, prefer localhost or trusted TLS endpoints, and keep the webhook token private.
The listener will continue monitoring inboxes and waking OpenClaw until you stop it or disable the service.
The skill is designed to keep running in the background and can be configured to start on boot. This is disclosed and aligned with event-driven monitoring.
imap-idle start # Start listener in background ... Systemd Service (Optional) ... automatic startup on boot
Use the documented status/stop commands, review any systemd service before enabling it, and run it under a dedicated low-privilege user if deployed on a server.
Future dependency changes or a compromised package could affect the listener under your user account.
The setup documentation asks users to install unpinned Python packages and to use --break-system-packages. This is user-directed and related to the skill, but it increases dependency and environment risk.
pip3 install imapclient --user --break-system-packages ... pip3 install keyring --user --break-system-packages
Install dependencies in a virtual environment where possible, pin versions, and avoid --break-system-packages unless you understand the system impact.