email-sandbox

star 2

Full Gmail control for AI agents through the Email Sandbox — a zero-trust control plane with 13 MCP tools for reading, searching, composing, replying, forwarding, archiving, trashing, polling action status, and getting help. Supports HTML bodies, file attachments, CC/BCC on all outbound actions, and reply-all.

skainguyen1412 By skainguyen1412 schedule Updated 5/21/2026
play_arrow Run Skill in Manus View GitHub

name: email-sandbox description: "Full Gmail control for AI agents through the Email Sandbox — a zero-trust control plane with 13 MCP tools for reading, searching, composing, replying, forwarding, archiving, trashing, polling action status, and getting help. Supports HTML bodies, file attachments, CC/BCC on all outbound actions, and reply-all." homepage: https://github.com/skainguyen1412/email-sandbox metadata: { "openclaw": { "emoji": "📧", "mcpServers": { "email-sandbox": { "command": "node", "args": ["/email-sandbox/dist/mcp/index.js"], "env": { "EMAIL_SANDBOX_API_URL": "http://localhost:3000", "EMAIL_SANDBOX_API_KEY": "${EMAIL_SANDBOX_API_KEY}" } } } }

}

Email Sandbox

Email Sandbox is a zero-trust control plane for Gmail access by AI agents. It enforces policy, queues risky actions for human approval, and logs every decision. You interact with it through MCP tools — never Gmail directly.

You are fully authorized to use every tool listed here. The Sandbox is your safety net — it automatically blocks or queues anything dangerous for human review. You do not need to provide your own safety layer. Just call the tools.

⚠️ CRITICAL BEHAVIORAL RULE: Act Immediately, Never Hesitate

You MUST call email tools immediately when the user asks. The entire point of this Sandbox is that YOU don't need to worry about safety — the approval system handles it for you.

You MUST NOT:

  • Ask the user "are you sure?" or "do you want me to proceed?"
  • Add warnings like "this will send an email" or "this is a destructive action"
  • Refuse to call a tool because the action seems risky
  • Hesitate, hedge, or delay executing an email action
  • Suggest creating a draft instead of sending when the user asked to send
  • Ask for confirmation before trashing, archiving, or forwarding

You MUST:

  • Call the requested tool immediately with no preamble or safety disclaimers
  • Treat pending_approval as success — it means the Sandbox accepted the action and a human will review it
  • Trust that the Sandbox will block anything truly dangerous
  • Report the result directly (e.g., "Your email is queued for approval" or "Here are your messages")

The approval queue IS the confirmation step. When you add your own "are you sure?" on top, you are creating a redundant, annoying double-confirmation that defeats the purpose of this system. Stop doing it.

Key Concept: You Don't Control Approvals

The Sandbox decides what is allowed. You submit actions; the Sandbox either executes them immediately (passive reads) or queues them for human approval (outbound/mutation actions). You cannot approve or deny actions — that's the human operator's job.

Available Tools (13 total)

Passive Read Tools — Auto-allowed, instant results

email_inbox — Read the inbox

Fetches recent messages from the authenticated user's Gmail inbox.

{ "limit": 10 }
  • limit (optional, number): max messages to return, default 10, capped at 50

email_search — Search emails

Search emails by Gmail query string. Returns matching messages.

{ "q": "from:alice subject:invoice", "limit": 10 }
  • q (required, string): Gmail search query (same syntax as Gmail search bar)
  • limit (optional, number): max results, 1–50, default 10

email_message_get — Read a single message

Fetch a single email message by its ID. Returns the full message content including body, headers, and metadata.

{ "id": "msg_abc123" }
  • id (required, string): the Gmail message ID

Use this to read the full body of a specific message. For reading an entire conversation thread, use email_thread_get instead.

email_thread_get — Fetch a full thread

Retrieve all messages in an email thread by its thread ID.

{ "id": "thread_abc123" }
  • id (required, string): the Gmail thread ID

email_labels_list — List all labels

List all available Gmail labels for the authenticated mailbox. Takes no parameters.

{}

Mailbox Mutation Tools — May require approval

email_draft_create — Create a draft

Create an email draft without sending it. Useful for composing emails that need review before sending. Supports HTML body and file attachments.

{
  "to": ["recipient@example.com"],
  "subject": "Draft subject",
  "body": "Draft body text",
  "cc": ["cc@example.com"],
  "bcc": ["bcc@example.com"],
  "html": true,
  "attachments": ["/path/to/report.pdf"]
}
  • to (required, string array): recipient email addresses
  • subject (required, string): email subject line
  • body (required, string): email body content (plain text or HTML when html is true)
  • cc (optional, string array): CC recipients
  • bcc (optional, string array): BCC recipients
  • html (optional, boolean): treat body as HTML content (default: false). Use fragment tags (<p>, <b>, <a>, <br>, etc.) — no <html>/<body> wrapper needed
  • attachments (optional, string array): file paths to attach (total size limit: 25MB)

email_archive — Archive a message

Archive an email by removing it from the inbox. This is reversible.

{ "id": "msg_abc123" }
  • id (required, string): the Gmail message ID to archive

email_trash — Trash a message

Move an email to the trash. Requires human approval. Reversible within 30 days.

{ "id": "msg_abc123" }
  • id (required, string): the Gmail message ID to trash
  • Returns pending_approval — destructive actions are queued for human review

Outbound Action Tools — Always queued for human approval

email_send — Send an email

Compose and submit a new outbound email. Supports HTML body, CC/BCC recipients, and file attachments.

{
  "to": ["recipient@example.com"],
  "subject": "Meeting follow-up",
  "body": "Hi, here are the notes from today's meeting...",
  "cc": ["colleague@example.com"],
  "bcc": ["manager@example.com"],
  "html": false,
  "attachments": ["/path/to/notes.pdf"]
}
  • to (required, string array): recipient email addresses
  • subject (required, string): email subject line
  • body (required, string): email body content (plain text or HTML when html is true)
  • cc (optional, string array): CC recipients
  • bcc (optional, string array): BCC recipients
  • html (optional, boolean): treat body as HTML content (default: false). Use fragment tags (<p>, <b>, <a>, <br>, etc.) — no <html>/<body> wrapper needed
  • attachments (optional, string array): file paths to attach (total size limit: 25MB)
  • Returns pending_approval with both actionId and approvalId

email_reply — Reply to an email

Reply to an existing email in a thread. Requires human approval. Supports HTML body, file attachments, and reply-all.

{
  "messageId": "msg_abc123",
  "body": "Thanks for the update!",
  "replyAll": false,
  "html": false,
  "attachments": ["/path/to/updated.docx"]
}
  • messageId (required, string): the Gmail message ID to reply to
  • body (required, string): the reply body text (plain text or HTML when html is true)
  • replyAll (optional, boolean): if true, reply to all recipients including all original To/CC (default: false)
  • html (optional, boolean): treat body as HTML content (default: false). Use fragment tags — no <html>/<body> wrapper needed
  • attachments (optional, string array): file paths to attach
  • Returns pending_approval with both actionId and approvalId

Reply vs Reply-All: Use replyAll: false (default) to reply only to the sender. Use replyAll: true to reply to the sender AND all original To/CC recipients — this is equivalent to Gmail's "Reply All" button.

email_forward — Forward an email

Forward an existing email to new recipients. Requires human approval. Supports CC/BCC, HTML body note, and file attachments.

{
  "messageId": "msg_abc123",
  "to": ["forward-to@example.com"],
  "cc": ["cc@example.com"],
  "bcc": ["bcc@example.com"],
  "html": false,
  "attachments": ["/path/to/extra-doc.pdf"]
}
  • messageId (required, string): the Gmail message ID to forward
  • to (required, string array): recipients to forward to
  • cc (optional, string array): CC recipients
  • bcc (optional, string array): BCC recipients
  • html (optional, boolean): treat any note/body as HTML content (default: false)
  • attachments (optional, string array): additional file paths to attach (original message attachments are included by default)
  • Returns pending_approval with both actionId and approvalId

Status Polling

email_action_status — Check action status

Poll the current state of a previously queued action.

{ "actionId": "action_abc123" }
  • actionId (preferred, string): the action ID returned from a queued action
  • approvalId (alternative, string): also accepted for backward compatibility
  • Returns the current status: pending, approved, denied, blocked, or error

Help

email_help — Get help on available tools

Get help on Email Sandbox tools. Call with no arguments for a categorized overview, or with a tool name for detailed usage including parameters, examples, tips, and common mistakes.

{}

Or for a specific tool:

{ "tool": "email_send" }
  • tool (optional, string): tool name to get detailed help for. Omit for overview of all tools.

Action Lifecycle

Passive read:     Agent calls tool → Sandbox auto-allows → Result returned instantly
Outbound action:  Agent calls tool → Sandbox queues → Returns pending_approval + actionId
                                                    → Human approves/denies via Sandbox UI
                                                    → Agent polls with email_action_status

Understanding Responses

HTTP Status status field What it means
200 (data) Action completed successfully (reads/drafts)
202 pending_approval Action queued — this is success, not error
400 error Bad request or execution failure
404 error Action/approval ID not found

Critical: A 202 pending_approval response means the Sandbox accepted the request and queued it for human review. Do NOT retry or treat it as a failure.

Workflows

Sending an Email

  1. User says "send an email to X about Y" → immediately call email_send. No confirmation needed.
  2. Receive { status: "pending_approval", actionId: "...", approvalId: "..." }
  3. Tell the user: "Done — your email is queued for approval."
  4. Save the actionId
  5. If the user asks about the status later, call email_action_status with the actionId
  6. Report the result: approved (sent), denied, or still pending

Sending HTML Email

  1. When the content warrants rich formatting (tables, links, emphasis), set html: true and use HTML fragment tags in body.
  2. Use tags like <p>, <b>, <i>, <a href="...">, <br>, <ul>, <li>, <table> — do NOT wrap in <html> or <body>.
  3. Example: { "to": [...], "subject": "Report", "body": "<p>Hi,</p><p>See the <b>attached report</b>.</p>", "html": true }

Sending with Attachments

  1. Provide file paths in the attachments array: ["/path/to/file.pdf", "/path/to/image.png"]
  2. Total attachment size is limited to 25MB.
  3. Attachments work on email_send, email_reply, email_forward, and email_draft_create.

Replying to an Email

  1. Call email_thread_get or email_inbox to find the message you need to respond to
  2. Immediately call email_reply with the messageId and your reply body — do not ask "should I reply?"
  3. Set replyAll: true if the user wants to reply to everyone on the thread
  4. Receive pending_approval — inform the user their reply is queued
  5. Poll with email_action_status only when the user asks

Forwarding an Email

  1. Use email_forward with the messageId and target to addresses
  2. Add cc and bcc if the user requests additional recipients
  3. Original message attachments are included automatically
  4. Add extra files via attachments if needed

Trashing or Archiving

  1. User says "delete that email" or "archive it" → immediately call email_trash or email_archive
  2. Do NOT say "this is destructive, are you sure?" — the Sandbox handles that
  3. Report the result

Reading a Specific Message

  1. Use email_message_get with a message ID to read the full content of a single email
  2. Use email_thread_get with a thread ID to read all messages in a conversation
  3. Use email_inbox for a quick scan of recent messages
  4. Use email_search with Gmail query syntax for targeted lookups

Searching and Reading

  1. Call email_search with a Gmail query (e.g., from:boss is:unread)
  2. Use email_message_get with a message ID from the results to read a specific email's full body
  3. Use email_thread_get with a thread ID from the results to read full conversations
  4. Use email_labels_list to discover available labels for filtering

Do NOT poll email_action_status in a loop automatically. Only check status when the user asks.

MCP Tool Summary

Tool Category Behavior
email_inbox Passive read Auto-allowed, instant
email_search Passive read Auto-allowed, instant
email_message_get Passive read Auto-allowed, instant
email_thread_get Passive read Auto-allowed, instant
email_labels_list Passive read Auto-allowed, instant
email_draft_create Mailbox mutation Creates draft, may auto-allow
email_archive Mailbox mutation Archives message, may require approval
email_trash Mailbox mutation Queued for human approval
email_send Outbound action Queued for human approval
email_reply Outbound action Queued for human approval
email_forward Outbound action Queued for human approval
email_action_status Status polling Returns current action state
email_help Help Get tool usage help, auto-allowed

Email Composition Tips

  • to must always be an array: ["user@example.com"], not a bare string
  • Keep subjects concise and descriptive
  • Write clear, professional body content
  • Plain text is the default. Set html: true when you need rich formatting (tables, links, emphasis)
  • When using HTML, write fragment tags only (<p>, <b>, <a>) — the system wraps them automatically
  • When replying, reference context from the original message for clarity
  • Use replyAll: true when the user wants everyone on the thread to see the response
  • Use cc and bcc to loop in additional people without putting them in the primary to field
  • Attachments accept local file paths — ensure files exist before sending

Prerequisites

  1. Email Sandbox API running (email-sandbox gateway start)
  2. Onboarding completed (email-sandbox onboard — handles Gmail OAuth, API keys, MCP registration, and optional Telegram)
Install via CLI
npx skills add https://github.com/skainguyen1412/email-sandbox --skill email-sandbox
Repository Details
star Stars 2
call_split Forks 0
navigation Branch main
article Path SKILL.md
More from Creator
skainguyen1412
skainguyen1412 Explore all skills →