Labsco
UseJunior logo

Email Agent MCP

โ˜… 3

from UseJunior

Local email connectivity for AI agents โ€” read, draft, send, and organize Outlook mail via MCP. Apache-2.0 licensed.

๐Ÿ”ฅ๐Ÿ”ฅ๐Ÿ”ฅโœ“ VerifiedFreeAdvanced setup

Agent Email

npm version npm downloads License: Apache-2.0 CI codecov GitHub stargazers Tests: Vitest OpenSpec Traceability Socket Badge install size

English | Espaรฑol | ็ฎ€ไฝ“ไธญๆ–‡ | Portuguรชs (Brasil) | Deutsch

email-agent-mcp by UseJunior -- local email connectivity for AI agents.

Agent Email is an open-source TypeScript MCP server that lets Claude Code, Cursor, Gemini CLI, OpenClaw, and other MCP-compatible runtimes read email, search threads, draft replies, label messages, change read state, move messages, and send mail through your own mailbox. Microsoft 365 / Outlook and Gmail are supported today. Security-first defaults mean agents cannot send email until you explicitly configure an allowlist.

What Works Today

  • Microsoft 365 / Outlook mailbox access through MCP stdio
  • list_emails, read_email, search_emails, and get_thread
  • create_draft, update_draft, send_draft, send_email, and reply_to_email
  • label_email, mark_read, and move_to_folder
  • send allowlists, delete disabled by default, and sanitized errors

The current launch-prep pass was validated against a real Outlook mailbox for read, draft, send, categorize, move, and read-state flows.

Why This Exists

AI agents need to read, reply to, and act on email, but email APIs are complex. OAuth flows, Graph delta queries, Gmail push subscriptions, HTML-to-markdown conversion, threading semantics -- each provider has its own quirks.

Agent Email wraps this complexity into deterministic MCP tools with security guardrails:

  • send and receive allowlists that control who agents can contact
  • delete disabled by default (requires explicit opt-in)
  • error sanitization that strips API keys, file paths, and stack traces
  • body file sandboxing with path traversal protection

Use with Claude Code

Add to ~/.claude/settings.json or your project .claude/settings.json:

{
  "mcpServers": {
    "email-agent-mcp": {
      "type": "stdio",
      "command": "npx",
      "args": ["-y", "email-agent-mcp"]
    }
  }
}

Use with Cursor

// .cursor/mcp.json
{
  "mcpServers": {
    "email-agent-mcp": {
      "command": "npx",
      "args": ["-y", "email-agent-mcp"]
    }
  }
}

Use with Gemini CLI

gemini extensions install https://github.com/UseJunior/email-agent-mcp

Use with OpenClaw

Add an mcp block to ~/.openclaw/openclaw.json:

{
  // ... existing config ...
  mcp: {
    servers: {
      email: {
        command: "npx",
        args: ["tsx", "/path/to/email-agent-mcp/packages/email-mcp/src/serve-entry.ts"],
        transport: "stdio"
      }
    }
  }
}

Version note: The mcp config key requires OpenClaw app >= 2026.3.24. If the CLI is older than the app, it may reject this key during validation even though the gateway accepts it. Update the CLI with npm install openclaw@latest in your NemoClaw directory, or restart the gateway directly with launchctl kickstart -k gui/501/ai.openclaw.gateway.

Email watcher

The watcher polls your mailbox and sends wake signals to OpenClaw when new email arrives:

# Set the hooks token (must match hooks.token in openclaw.json)
export OPENCLAW_HOOKS_TOKEN="your-hooks-token"

# Start the watcher (defaults to http://localhost:18789/hooks/wake)
npm run dev:watch

The watcher requires at least one configured mailbox. Run npx email-agent-mcp or npm run dev:configure first to complete the OAuth flow.

Launch Prep Smoke Test

Before recording a demo, run the live smoke script against a real mailbox and a safe send allowlist. The script exercises:

  • get_mailbox_status
  • list_emails + read_email
  • mark_read unread -> read -> unread
  • label_email on a safe inbox candidate
  • create_draft
  • draft-only reply_to_email
  • optional send_email

Example:

EMAIL_AGENT_MCP_HOME=/tmp/email-agent-mcp-live \
AGENT_EMAIL_SEND_ALLOWLIST=/tmp/email-agent-mcp-live/send-allowlist.json \
npm run launch:prep:smoke -- --live-write --send-to beta@usejunior.com

Default safe-candidate selection looks for notifications@github.com in the inbox so you can rehearse the recording flow on a public-safe message instead of customer mail. If your mailbox status name is not an email address, pass --reply-sender <email> or set EMAIL_AGENT_MCP_REPLY_SENDER so the script can find a self-sent message for the draft-reply check.

Tool Reference

Agent Email exposes 15 MCP tools:

ToolDescriptionType
list_emailsList recent emails with filteringread
read_emailRead full email content as markdownread
search_emailsFull-text search across mailboxesread
get_mailbox_statusConnection status and warningsread
get_threadFull conversation contextread
send_emailSend new email (allowlist-gated)write
reply_to_emailReply within thread (allowlist-gated on send)write
create_draftCreate email draftwrite
update_draftUpdate draft contentwrite
send_draftSend a saved draftwrite
label_emailApply labels/categorieswrite
flag_emailFlag/unflag emailswrite
mark_readMark as read/unreadwrite
move_to_folderMove between folderswrite
delete_emailDelete (requires operator env + caller flag)destructive

Outbound attachments

send_email, reply_to_email, create_draft, and update_draft accept an optional attachments array. Each entry takes a sandboxed file path (read relative to EMAIL_MCP_SAFE_DIR, default the process working directory) or inline base64, plus optional filename / mimeType overrides:

{
  "to": "alice@example.com",
  "subject": "Signed agreement",
  "body": "Attached as requested.",
  "attachments": [
    { "path": "./out/agreement.pdf" },
    { "base64": "iVBORw0KGgo...", "filename": "screenshot.png" }
  ]
}

Files are capped at 25MB each; Microsoft Graph additionally caps inline sends at ~3MB total (larger files need an upload session โ€” not yet supported). For update_draft, omitting attachments preserves the draft's existing files; passing an array (even empty) replaces them.

Provider Support

ProviderStatusPackage
Microsoft 365 (Graph API)Fully supported@usejunior/provider-microsoft
GmailSupported via interactive CLI OAuth or manual refresh-token setup@usejunior/provider-gmail

Use email-agent-mcp configure --provider gmail to run the local browser OAuth flow, or add a manual mailbox token file under ~/.email-agent-mcp/tokens/. See packages/provider-gmail/README.md.

Security Defaults

Agent Email ships with restrictive defaults that you loosen as needed:

  • Send allowlist: empty by default -- agents cannot send email until you add recipients
  • Receive allowlist: accepts all by default -- controls which senders trigger the watcher
  • Delete disabled: agents cannot delete email by default. Two gates must both be satisfied:
    1. operator sets AGENT_EMAIL_DELETE_ENABLED=true in the email-agent-mcp process environment (and AGENT_EMAIL_HARD_DELETE_ENABLED=true for permanent deletion). Restart required after change.
    2. the caller passes user_explicitly_requested_deletion: true on the tool call.
  • Error sanitization: API keys, file paths, and stack traces are redacted from error responses
  • Body file sandboxing: no ../ traversal, no symlinks, binary detection

Packages

PackageDescription
@usejunior/email-coreCore email actions, content engine, security, and provider interfaces
@usejunior/email-mcpMCP server adapter, CLI, and watcher
@usejunior/provider-microsoftMicrosoft Graph API email provider
@usejunior/provider-gmailGmail API email provider
email-agent-mcpDistribution wrapper (npx email-agent-mcp)

Quality and Trust Signals

  • CI runs on every pull request and push to main (lint, typecheck, tests on Node 20 + 22)
  • CodeQL and Semgrep security scanning
  • Coverage published to Codecov
  • OpenSpec traceability enforcement via npm run check:spec-coverage
  • 300+ tests across the suite
  • Maintainer: Steven Obiajulu

Architecture

email-agent-mcp/
โ”œโ”€โ”€ packages/
โ”‚   โ”œโ”€โ”€ email-core          Core actions, content engine, security
โ”‚   โ”œโ”€โ”€ email-mcp           MCP server adapter, CLI, watcher
โ”‚   โ”œโ”€โ”€ provider-microsoft  Microsoft Graph provider
โ”‚   โ”œโ”€โ”€ provider-gmail      Gmail API provider
โ”‚   โ””โ”€โ”€ email-agent-mcp         Distribution wrapper (npx entry point)
โ”œโ”€โ”€ openspec/               Spec-driven development
โ””โ”€โ”€ scripts/                CI and validation scripts

Releasing

Tag-driven release via GitHub Actions with npm OIDC trusted publishing. All 5 packages publish in dependency order with --provenance, then server.json is published to the official MCP Registry with mcp-publisher.

Development

npm ci
npm run build
npm run lint --workspaces --if-present
npm run test:run
npm run check:spec-coverage

See Also

Privacy

Agent Email runs entirely on your local machine. Email credentials are stored in your OS keychain (MSAL) and local config files. No email content is sent to external servers by Agent Email itself.

Governance