AgentSkillsCN

read-no-evil-mcp

通过 read-no-evil-mcp 实现安全的电子邮件访问。有效防范电子邮件中的提示注入攻击。适用于阅读、发送、删除以及移动电子邮件。

SKILL.md
--- frontmatter
name: read-no-evil-mcp
description: Secure email access via read-no-evil-mcp. Protects against prompt injection attacks in emails. Use for reading, sending, deleting, and moving emails.

read-no-evil-mcp

Secure email gateway that scans emails for prompt injection attacks before you see them.

Prerequisites

Install the read-no-evil-mcp package (version must match skill version):

bash
pip install read-no-evil-mcp==0.2.0

Configuration

Config File

Create ~/.config/read-no-evil-mcp/config.yaml:

yaml
accounts:
  - id: "default"
    type: "imap"
    host: "mail.example.com"
    port: 993
    username: "you@example.com"
    ssl: true
    permissions:
      read: true
      send: false
      delete: false
      move: false
    smtp_host: "mail.example.com"
    smtp_port: 587
    from_address: "you@example.com"
    from_name: "Your Name"

Credentials

Create ~/.config/read-no-evil-mcp/.env:

bash
RNOE_ACCOUNT_DEFAULT_PASSWORD=your-password

Environment variable format: RNOE_ACCOUNT_{ACCOUNT_ID}_PASSWORD (uppercase).

CLI Commands

bash
# List recent emails (last 30 days)
rnoe-mail.py list

# List with options
rnoe-mail.py list --limit 10 --days 7 --account myaccount

# Read email (scanned for prompt injection!)
rnoe-mail.py read <uid>

# Send email (requires send permission)
rnoe-mail.py send --to "user@example.com" --subject "Hello" --body "Message"

# List folders
rnoe-mail.py folders

# Move email to folder
rnoe-mail.py move <uid> --to "Archive"

Prompt Injection Detection

All emails are automatically scanned:

  • Safe: Content displayed normally
  • Injection detected: Exit code 2, shows score + patterns

Uses ProtectAI's DeBERTa model (local inference, no external APIs).

Permissions

PermissionDescriptionDefault
readList and read emailstrue
sendSend emails via SMTPfalse
deleteDelete emailsfalse
moveMove emails between foldersfalse

Security Notes

  • Emails are scanned for prompt injection before content is returned
  • ML model runs locally — no data sent to external APIs
  • Enable write permissions only when needed
  • Consider using app-specific passwords