We checked this and rejected itprivacy

Apple Mail MCP: why it is not safe to use

Apple Mail MCP reads full email bodies and can send, forward, and mail-merge, so a malicious message could steer it into leaking mailbox contents.

What we found

Apple Mail MCP (`sweetrb/apple-mail-mcp`) scored 74/100 and passed our checks for hardcoded secrets, obfuscation, credential harvesting, and privilege escalation. Passwords stay in the macOS Keychain, and it runs local-only through AppleScript unless you set the optional IMAP/SMTP env vars.

Our warnings center on one pattern. The skill reads whole email bodies (`get-message`, `get-thread`, `triage-inbox`) and can also send, reply, forward, and run `send-serial-email` to as many as 100 recipients. A crafted incoming email could carry instructions that a model follows, forwarding or leaking your mail. This prompt-injection exposure is common to any read-plus-send mail tool and is not a code defect we found. The skill can also delete messages and mailboxes and edit Mail rules through `osascript`, scoped to Mail and gated by the macOS automation prompt.

What to do instead

Use it if you accept the trade-off, with limits. Prefer `create-draft` so you review before anything sends. Keep the IMAP/SMTP env vars unset to stay local. Avoid pointing it at untrusted inboxes, and watch the macOS automation permission it requests.

Want the same outcome, safely? Use our checked skill instead.

Source: https://github.com/sweetrb/apple-mail-mcp

We report what our security review found at the time we checked, with the goal of keeping people safe. Projects change; if a maintainer has since fixed this, we are glad to recheck it. Email hello@agentpod.com.

Copied to clipboard. Go back to ChatGPT or Claude and paste it to teach the skill.