Analyze email inbox health with weather metaphors, spam/signal classification, email debt scoring, and ghost detection. Use when user asks about inbox status...
Security Analysis
high confidenceThe skill's code and instructions are coherent with its stated purpose (reading mail via the himalaya CLI and producing local analyses), with no evidence of unexpected network exfiltration or unrelated credentials, though the registry metadata omits the required himalaya binary and the owner/homepage are unknown so you should review and run it locally first.
The skill's name/description (inbox analysis) matches what the code does: it calls the himalaya CLI to read mail, classifies messages, computes scores, and prints structured output. However, the registry metadata lists no required binaries while SKILL.md explicitly requires the himalaya CLI — this metadata omission is an inconsistency that could mislead users about what will run.
SKILL.md and the script stick to inbox analysis: discovering folders, calling himalaya to list envelopes, classifying emails, and emitting text/JSON reports. The script reads email metadata (senders, subjects, dates, flags) and will include sender email/subject in outputs (expected for this purpose). There are no instructions or code paths that read unrelated files, other services, or send data to external endpoints.
No install spec (instruction-only plus an included Python script). No downloads or archive extraction. Risk is low because the code runs locally and depends on an already-installed himalaya CLI and Python.
The skill requests no environment variables or external credentials in the manifest; it relies on the user's existing himalaya/IMAP configuration to access mail. That is proportionate to the described functionality. There are no unrelated credential requests.
always is false and there is no install step that attempts to persist or modify other skills or system-wide settings. Note: as with any skill that can be invoked autonomously, if the agent is allowed to run skills without explicit user prompts it could read email via himalaya; that's a platform-level policy consideration rather than a problem in this skill's code.
Guidance
This skill appears to do what it claims: it uses the himalaya CLI to read your mailbox and analyzes messages locally, producing human-readable or JSON reports. Before installing or allowing the agent to run it autonomously: (1) confirm you have the himalaya CLI configured and understand which account it will access (IMAP credentials are stored in himalaya, not this skill), (2) review the included script locally — it prints sender/subject/date and may surface sensitive metadata, (3) note the registry metadata did not declare the himalaya dependency (an honesty/packaging mismatch), and (4) because the owner/homepage are unknown, prefer running the script yourself on sample data or in a controlled environment rather than granting broad autonomous access to your agent. If you want extra caution, run python3 scripts/email_classify.py locally and inspect outputs before enabling the skill for automated runs.
Latest Release
v1.0.0
Initial release: inbox weather, email debt score, ghost report, signal-to-noise ratio, time cost estimate, auto-discover folders
More by @pfrederiksen
Published by @pfrederiksen on ClawHub
