← Back to Skills Marketplace
314
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install fastmail-api
Description
Manage Fastmail mail, mailbox, identity, contact, and calendar workflows through JMAP API calls with safe batching and token hygiene.
README (SKILL.md)
Fastmail API Operations
Setup
On first use, read setup.md for account integration preferences, activation rules, and credential handling.
When to Use
User needs to automate Fastmail through API calls: mailbox management, message search, draft/send flows, identity settings, contact operations, or calendar events. Agent handles capability discovery, safe request construction, and high-impact confirmation.
Architecture
Memory lives in ~/fastmail-api/. See memory-template.md for structure.
~/fastmail-api/
├── memory.md # Account context, IDs, and operating preferences
├── request-log.md # High-impact API actions and outcomes
└── snapshots/ # Optional payload backups before bulk writes
Quick Reference
Use these files when you need details beyond core operating rules.
| Topic | File |
|---|---|
| Setup flow | setup.md |
| Memory template | memory-template.md |
| Session and method call patterns | jmap-patterns.md |
| Mailbox and message workflows | mail-workflows.md |
| Contacts and calendar operations | calendar-contacts.md |
| Error handling and recovery | troubleshooting.md |
Requirements
curljqFASTMAIL_API_TOKEN- Optional:
FASTMAIL_API_BASE(defaults tohttps://api.fastmail.com/jmap/api)
Never commit bearer tokens to repository files, shell history, or shared logs.
Data Storage
~/fastmail-api/memory.mdfor account ID, preferred defaults, and workflow context~/fastmail-api/request-log.mdfor high-impact action history~/fastmail-api/snapshots/for payload backups before bulk updates
Core Rules
1. Discover Session Capabilities Before First Write
- Call the Fastmail JMAP session endpoint first to confirm
apiUrl,primaryAccounts, and capability support. - Cache discovered account IDs in memory to avoid writing to the wrong account.
curl -sS https://api.fastmail.com/jmap/session \
-H "Authorization: Bearer $FASTMAIL_API_TOKEN" | jq
2. Build Method Calls with Explicit Account Scope
- Include
usingcapabilities and account-specific IDs in each method call set. - Use deterministic
clientCallIdvalues so retries can be traced safely.
curl -sS "${FASTMAIL_API_BASE:-https://api.fastmail.com/jmap/api}" \
-H "Authorization: Bearer $FASTMAIL_API_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"using": ["urn:ietf:params:jmap:mail", "urn:ietf:params:jmap:core"],
"methodCalls": [
["Mailbox/get", {"accountId": "u123", "ids": null}, "c1"]
]
}' | jq
3. Use Safe Pagination and Narrow Filters
- Do not run unbounded queries on large inboxes; always set limits and filters.
- Prefer
Email/queryplusEmail/getwindows over full mailbox dumps.
4. Confirm Destructive and Broad-Impact Actions
- Confirm before mailbox deletes, message moves affecting many threads, identity updates, or bulk calendar edits.
- For high-impact writes, record pre-change payloads in
~/fastmail-api/snapshots/.
5. Treat Partial Failures as First-Class Results
- Inspect
notCreated,notUpdated, and method-level errors after every write. - Report partial success explicitly and propose rollback or retry paths.
6. Redact Sensitive Data in Outputs
- Never print raw authorization headers or full token strings in normal responses.
- Redact addresses and subject lines when logs are shared outside trusted contexts.
7. Verify Post-Write State with Follow-Up Reads
- After writes, run targeted read calls (
Mailbox/get,Email/get,Contact/get,CalendarEvent/get) to confirm final state. - Only close tasks after state verification succeeds.
Safety Checklist
Before bulk updates, deletes, send flows, or identity changes:
- Confirm target account ID and environment.
- Capture a request snapshot for rollback context.
- Confirm user intent for irreversible actions.
- Execute smallest safe batch first.
- Verify resulting state with read calls.
Fastmail API Traps
- Skipping session discovery can send writes to an incorrect account ID.
- Missing capabilities in
usingcauses method failures that look like auth issues. - Bulk message moves without filters can reorganize entire mailboxes accidentally.
- Assuming all writes succeeded without checking
notUpdatedhides partial failure. - Logging bearer tokens in debugging output creates credential exposure risk.
External Endpoints
Only the official Fastmail JMAP endpoints below are used by this skill.
| Endpoint | Data Sent | Purpose |
|---|---|---|
https://api.fastmail.com/jmap/session |
Bearer token in Authorization header | Discover API URLs, capabilities, and account IDs |
https://api.fastmail.com/jmap/api |
JMAP method payloads for mail, mailbox, identity, contacts, and calendar operations | Execute read and write workflows |
No other data is sent externally.
Security & Privacy
Data that leaves your machine:
- Authenticated JMAP payloads for mailbox, message, contact, and calendar operations
- Message metadata required for requested queries and write actions
Data that stays local:
- Operational context in
~/fastmail-api/memory.md - High-impact action history in
~/fastmail-api/request-log.md - Optional payload snapshots in
~/fastmail-api/snapshots/
This skill does NOT:
- Send undeclared API traffic
- Store bearer tokens in repository files
- Execute destructive writes without explicit confirmation
Trust
By using this skill, mailbox and calendar operation data is sent to Fastmail infrastructure. Only install if you trust Fastmail with this operational data.
Related Skills
Install with clawhub install \x3Cslug> if user confirms:
api- Build robust HTTP request and response workflows for complex APIsoauth- Handle token lifecycle and secure delegated authorization flowsmail- Plan high-quality email workflows, tone, and delivery structurewebhook- Orchestrate event-driven integrations that react to API-side changes
Feedback
- If useful:
clawhub star fastmail-api - Stay updated:
clawhub sync
Usage Guidance
This skill appears to do what it says: it will perform JMAP calls to Fastmail and store local workflow state in ~/fastmail-api/. Before installing, ensure you trust the skill source (source is listed as unknown), be prepared to provide a Fastmail API token with the minimum necessary scope, and review or limit where local logs/snapshots are written (they can contain metadata like account IDs and request payloads). Confirm the agent's confirmation settings during setup so destructive actions require explicit approval, and avoid putting the raw bearer token into files or shared logs.
Capability Analysis
Type: OpenClaw Skill
Name: fastmail-api
Version: 1.0.0
The skill bundle is benign. It explicitly declares its purpose to interact with the Fastmail JMAP API, requires `curl` and `jq`, and uses `FASTMAIL_API_TOKEN` for authentication. All external network calls are clearly documented to be exclusively to Fastmail's official JMAP endpoints. Crucially, the `SKILL.md`, `setup.md`, and `memory-template.md` files contain strong security instructions for the AI agent, such as confirming destructive actions, redacting sensitive data (tokens, addresses) from logs, never storing bearer tokens in local files, and explicitly stating that no undeclared API traffic is sent. There is no evidence of prompt injection for malicious purposes, data exfiltration to unauthorized endpoints, or any other harmful behavior.
Capability Assessment
Purpose & Capability
Name/description (Fastmail JMAP workflows) match the declared requirements: curl, jq, and FASTMAIL_API_TOKEN. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md limits network calls to Fastmail's JMAP endpoints, instructs session discovery, safe batching, confirmation for destructive ops, and local storage for account context. The instructions avoid reading unrelated system secrets and explicitly advise redacting tokens in logs.
Install Mechanism
Instruction-only skill with no install spec or external downloads; nothing is written to disk by an installer. Risk from install mechanism is minimal.
Credentials
Only FASTMAIL_API_TOKEN is required, which is appropriate. Minor note: registry metadata lists no 'primary credential' even though FASTMAIL_API_TOKEN is required — not a security problem but inconsistent metadata.
Persistence & Privilege
The skill writes local state under ~/fastmail-api/ (memory, request log, snapshots), which is expected for workflow persistence but means account IDs, operation history, and snapshots will be stored locally. always:false and no elevated privileges are requested.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install fastmail-api - After installation, invoke the skill by name or use
/fastmail-api - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release with production-safe Fastmail JMAP API workflows for mail, mailbox, identity, and calendar automation.
Metadata
Frequently Asked Questions
What is Fastmail API?
Manage Fastmail mail, mailbox, identity, contact, and calendar workflows through JMAP API calls with safe batching and token hygiene. It is an AI Agent Skill for Claude Code / OpenClaw, with 314 downloads so far.
How do I install Fastmail API?
Run "/install fastmail-api" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Fastmail API free?
Yes, Fastmail API is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Fastmail API support?
Fastmail API is cross-platform and runs anywhere OpenClaw / Claude Code is available (linux, darwin, win32).
Who created Fastmail API?
It is built and maintained by Iván (@ivangdavila); the current version is v1.0.0.
More Skills