← 返回 Skills 市场
ryanfren

AgentCloak - Email Proxy that filters PII, 2FA, and password resets

作者 ryanfren · GitHub ↗ · v1.0.0
cross-platform ✓ 安全检测通过
630
总下载
0
收藏
2
当前安装
1
版本数
在 OpenClaw 中安装
/install agentcloak-email-proxy
功能描述
Secure email proxy for AI agents. Search, read, and draft emails via MCP with server-side credential isolation, PII redaction, prompt injection detection, an...
使用说明 (SKILL.md)

AgentCloak

Secure email proxy for AI agents. AgentCloak sits between your agent and your email, so the agent gets useful email access without seeing credentials, sensitive financial data, PII, or prompt injection attacks.

Every other email skill on ClawHub gives your agent raw, unfiltered access to your inbox. AgentCloak is the only one with a built-in security pipeline.

What makes this different

  • Credential isolation — your email password/OAuth tokens stay server-side; the agent only has an API key
  • 4-stage content filter — blocklist, HTML sanitizer, PII redaction, prompt injection detection
  • Read + draft only — agents can search, read, list, and draft emails but cannot send, delete, or modify anything
  • Draft safety — drafts are never sent automatically; you review them first
  • Self-host or hosted — run your own instance or use the hosted version

Setup

Option A: Hosted version (quickest)

  1. Sign up at https://agentcloak.up.railway.app
  2. Connect your email (IMAP works with any provider, Gmail OAuth available by invite)
  3. Create an API key in the dashboard
  4. Configure:
export AGENTCLOAK_API_KEY=ac_your_key_here
mcporter config add agentcloak \
  --baseUrl "https://agentcloak.up.railway.app/mcp" \
  --header "Authorization: Bearer $AGENTCLOAK_API_KEY"

Option B: Self-hosted

  1. Clone and run:
git clone https://github.com/ryanfren/AgentCloak.git
cd agentcloak
pnpm install && pnpm build && pnpm dev
  1. Open http://localhost:3000, create an account, connect email, create API key
  2. Configure:
export AGENTCLOAK_URL=http://localhost:3000
export AGENTCLOAK_API_KEY=ac_your_key_here
mcporter config add agentcloak \
  --baseUrl "${AGENTCLOAK_URL}/mcp" \
  --header "Authorization: Bearer $AGENTCLOAK_API_KEY"

Requirements for self-hosting: Node.js 20+, pnpm 10+

Available tools

Tool Description Key parameters
search_emails Search emails with Gmail-style queries query, max_results (1-200), page_token
read_email Read full email content by ID message_id
list_threads List conversation threads query, max_results, page_token
get_thread Read all messages in a thread thread_id
create_draft Create a draft (not sent) to, subject, body, in_reply_to_thread_id
list_drafts List existing drafts max_results
list_labels List all labels with unread counts (none)
get_provider_info Get provider type and capabilities (none)

Usage examples

# Search for unread emails
mcporter call agentcloak.search_emails query:"is:unread" max_results:10

# Read a specific email
mcporter call agentcloak.read_email message_id:"abc123"

# Get a full conversation thread
mcporter call agentcloak.get_thread thread_id:"thread456"

# Draft a reply (not sent until you review it)
mcporter call agentcloak.create_draft subject:"Re: Meeting" body:"Sounds good, see you Thursday." in_reply_to_thread_id:"thread456"

# List labels and unread counts
mcporter call agentcloak.list_labels

Security pipeline

Every email passes through a 4-stage filter before the agent sees it. Each stage is independently configurable from the dashboard.

Stage 1: Blocklist

Blocks emails from sensitive senders outright. Three toggleable categories:

  • Financial — 40+ domains (Chase, PayPal, Venmo, Coinbase, etc.)
  • Security senders — patterns like security@, fraud@, alerts@, .gov addresses
  • Security subjects — password resets, 2FA codes, verification links, login alerts

Plus custom blocklists: add your own domains, sender patterns, or subject patterns.

Stage 2: HTML sanitizer

Converts HTML email to plaintext and strips dangerous Unicode (zero-width characters, bidirectional overrides, tag characters, variation selectors) that could be used to hide prompt injection.

Stage 3: PII redaction

Redacts sensitive patterns with placeholders:

  • SSNs, credit card numbers, bank account/routing numbers
  • API keys (sk_, pk_, AWS keys), bearer tokens, PEM private keys
  • Optionally: email addresses, large dollar amounts

Stage 4: Prompt injection detection

Scans for 19 known injection patterns (instruction overrides, role reassignments, system tag injections, data exfiltration attempts). Flags detected content with a [AGENTCLOAK WARNING] prefix so the agent knows the email may be adversarial. Does not block — lets the agent make an informed decision.

Security and privacy

What data leaves your machine:

Scenario Data flow
Self-hosted Nothing leaves your machine. All processing is local.
Hosted version Your email credentials are stored server-side (encrypted). Email content passes through the hosted server's filter pipeline. No data is shared with third parties.
  • API keys are hashed (SHA-256) before storage — the server cannot recover your key after creation
  • Email credentials are stored server-side; the agent never sees them
  • All filtering happens server-side before content reaches the agent
  • The agent can only read and draft — it cannot send, delete, or modify emails
  • Source code is open: https://github.com/ryanfren/AgentCloak

Trust statement: By using the hosted version, you trust the AgentCloak server with access to your email account credentials and content. If this is not acceptable, self-host your own instance for full control.

Email providers

AgentCloak supports three connection methods:

  • IMAP — works with any email provider (Gmail, Outlook, ProtonMail Bridge, Fastmail, etc.)
  • Gmail OAuth — direct API access (currently invite-only during beta)
  • Gmail Apps Script — manual setup via script.google.com, no Google Cloud project needed

Limitations

  • Read and draft only — no send, delete, or modify
  • Gmail search syntax only (even for IMAP connections, queries are translated)
  • Attachment content is not accessible (metadata can optionally be shown)
  • Gmail OAuth is invite-only during beta; IMAP and Apps Script are open to all
  • Hosted version is in beta

Links

安全使用建议
This skill appears internally consistent for an email-proxy: it only needs an API key and the mcporter client to talk to AgentCloak. The main risk is trust: the hosted service must store your email credentials and will see (and filter) your messages. If you care about sensitive accounts, self-host instead and audit the GitHub repo before running it. Verify the mcporter binary you install is the legitimate tool referenced by your platform. Don’t assume the short privacy claims (e.g., 'API keys are hashed') are true without checking the repo or running a security review of the server code. If you proceed with the hosted option, consider testing with a low-risk account first and review the full source and privacy policy on the linked GitHub page.
功能分析
Type: OpenClaw Skill Name: agentcloak-email-proxy Version: 1.0.0 The skill is classified as benign due to its clear alignment with its stated purpose of providing a secure email proxy for AI agents. It transparently discloses its operational model, including the trust implications of using the hosted version (agentcloak.up.railway.app) and the requirement for external network calls. The skill explicitly limits agent capabilities to read and draft emails only, with no send, delete, or modify functions. While the self-hosting option involves `git clone` and `pnpm install` (which carries inherent supply chain risks common to software development), and the hosted version requires trusting a third-party service with email credentials, these risks are openly communicated in SKILL.md and do not indicate malicious intent from the skill bundle itself. The skill also describes features designed to *prevent* prompt injection and PII exfiltration from emails, rather than attempting them.
能力评估
Purpose & Capability
Name/description, required binary (mcporter), and the single required env var (AGENTCLOAK_API_KEY) are consistent with an MCP-based email proxy. The advertised capabilities (search, read, draft, filtering pipeline) map to the provided mcporter call examples. Minor inconsistency: the SKILL.md shows an optional AGENTCLOAK_URL env var in self-hosting instructions but AGENTCLOAK_URL is not listed in requires.env.
Instruction Scope
SKILL.md only instructs the agent/operator to configure mcporter and call AgentCloak endpoints; it does not tell the agent to read unrelated files, access other credentials, or exfiltrate data. Self-hosting instructions include git/pnpm commands for humans to run, but there is no runtime instruction for the agent to execute those. The trust statement at the end is truncated, so some privacy claims cannot be validated from this text alone.
Install Mechanism
There is no install spec and no code files in the skill bundle (instruction-only), so nothing will be downloaded or written by the skill itself. Self-host instructions point to a GitHub repo and standard Node/pnpm tooling, but that only applies if you choose to self-host.
Credentials
The only required credential is AGENTCLOAK_API_KEY (declared as primary), which is appropriate for a proxy service. The documentation references AGENTCLOAK_URL for self-host setups but does not declare it as required; that's a small documentation gap. The larger privacy/security consideration is operational: using the hosted service means you must trust that server with your email credentials and content.
Persistence & Privilege
always is false and the skill is user-invocable. It does not request system-level persistence or permissions beyond a single API key and use of mcporter, and it does not modify other skills' configs.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install agentcloak-email-proxy
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /agentcloak-email-proxy 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release. Secure email proxy with PII redaction, prompt injection detection, and content filtering.
元数据
Slug agentcloak-email-proxy
版本 1.0.0
许可证
累计安装 2
当前安装数 2
历史版本数 1
常见问题

AgentCloak - Email Proxy that filters PII, 2FA, and password resets 是什么?

Secure email proxy for AI agents. Search, read, and draft emails via MCP with server-side credential isolation, PII redaction, prompt injection detection, an... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 630 次。

如何安装 AgentCloak - Email Proxy that filters PII, 2FA, and password resets?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install agentcloak-email-proxy」即可一键安装,无需额外配置。

AgentCloak - Email Proxy that filters PII, 2FA, and password resets 是免费的吗?

是的,AgentCloak - Email Proxy that filters PII, 2FA, and password resets 完全免费(开源免费),可自由下载、安装和使用。

AgentCloak - Email Proxy that filters PII, 2FA, and password resets 支持哪些平台?

AgentCloak - Email Proxy that filters PII, 2FA, and password resets 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 AgentCloak - Email Proxy that filters PII, 2FA, and password resets?

由 ryanfren(@ryanfren)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论