Apple Mail MCP: why it is not safe to use
Apple Mail MCP reads full email bodies and can send, forward, and mail-merge, so a malicious message could steer it into leaking mailbox contents.
What we found
Apple Mail MCP (`sweetrb/apple-mail-mcp`) scored 74/100 and passed our checks for hardcoded secrets, obfuscation, credential harvesting, and privilege escalation. Passwords stay in the macOS Keychain, and it runs local-only through AppleScript unless you set the optional IMAP/SMTP env vars.
Our warnings center on one pattern. The skill reads whole email bodies (`get-message`, `get-thread`, `triage-inbox`) and can also send, reply, forward, and run `send-serial-email` to as many as 100 recipients. A crafted incoming email could carry instructions that a model follows, forwarding or leaking your mail. This prompt-injection exposure is common to any read-plus-send mail tool and is not a code defect we found. The skill can also delete messages and mailboxes and edit Mail rules through `osascript`, scoped to Mail and gated by the macOS automation prompt.
What to do instead
Use it if you accept the trade-off, with limits. Prefer `create-draft` so you review before anything sends. Keep the IMAP/SMTP env vars unset to stay local. Avoid pointing it at untrusted inboxes, and watch the macOS automation permission it requests.
Source: https://github.com/sweetrb/apple-mail-mcp
We report what our security review found at the time we checked, with the goal of keeping people safe. Projects change; if a maintainer has since fixed this, we are glad to recheck it. Email hello@agentpod.com.