Is imap-email safe?

https://clawhub.ai/mvarrieur/imap-email

72
CAUTION

This IMAP email skill is functionally legitimate and well-structured, with no malicious code or prompt injection detected. However, it inherently grants the AI agent access to full email content including sensitive personal, financial, and credential data. The primary risks are privacy exposure through the agent's access to email bodies, potential for credential interception when TLS validation is disabled, and the skill's vulnerability to composition attacks if paired with skills that have outbound network access.

Category Scores

Prompt Injection 78/100 · 30%
Data Exfiltration 60/100 · 25%
Code Execution 72/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (10)

MEDIUM Full email content accessible to agent -20

The skill outputs complete email bodies (text and HTML) as JSON to stdout. When an AI agent uses this skill, it gains access to all email content in the configured mailbox. This is the skill's intended purpose but represents a significant privacy surface — the agent will see financial statements, personal correspondence, credentials sent via email, etc.

MEDIUM TLS certificate validation disabled in recommended config -15

The SKILL.md recommends setting IMAP_REJECT_UNAUTHORIZED=false for ProtonMail Bridge. While this is necessary for self-signed certificates on localhost, it could be misapplied to remote IMAP servers, enabling man-in-the-middle attacks that intercept credentials and email content.

LOW Credential storage in plaintext .env file -5

IMAP credentials (including password) are stored in a plaintext .env file. While this is a common pattern and .gitignore protection is mentioned, the credentials are accessible to any process or skill that can read files in the skill directory.

LOW Hardcoded PII in SKILL.md examples -12

The cron integration example contains a hardcoded phone number (+15085600825) and absolute filesystem path (/Users/mike/clawd/). While likely just copy-paste from the author's setup, this leaks personal information and could confuse the agent into using these values.

MEDIUM Agent instructed to autonomously access email on schedule -10

The SKILL.md contains a cron integration section that instructs the agent to set up autonomous periodic email checking. This means the skill encourages unsupervised email access, which increases the risk of the agent processing sensitive content without user awareness.

MEDIUM Mailbox state modification capability -15

The mark-read and mark-unread commands allow the agent to modify email flags. A malicious or malfunctioning agent could mark emails as read to hide that they were accessed, or mark important emails as unread repeatedly to create confusion.

MEDIUM High-value target for skill composition attacks -25

If this skill is installed alongside another skill with outbound HTTP/webhook capabilities, an agent could be prompted to read emails and forward their contents externally. The skill itself doesn't exfiltrate data, but it creates a powerful data source that other skills could abuse.

INFO setup.sh writes credentials to disk -8

The setup.sh script prompts for IMAP credentials and writes them to a .env file. This is standard setup behavior but creates a persistent credential file on disk.

INFO Dependencies are well-known and version-locked 0

The three npm dependencies (imap-simple, mailparser, dotenv) are popular, well-maintained packages. The package-lock.json pins exact versions and includes integrity hashes, reducing supply chain risk.

INFO Clean install with no side effects 0

The skill installation produced no filesystem changes, network activity, or process execution beyond the expected npm install. No malicious install-time behavior detected.