CCM
/Skills
SkillsMCPMarketplacesDigestToolsAdvertise

This week in Claude

Every Monday: Claude Code, Agent SDK, MCP, and the Anthropic platform moves worth your time.

Skills by Category
Frontend DevelopmentBackend & APIsTesting & QASecurityDevOps & CI/CDGit & Pull RequestsDocumentationCode Review & QualityAI & Agent BuildingSkill Development
MCP Servers by Category
Sales & MarketingWeb & Browser AutomationDatabasesAI & LLM ToolsCloud & InfrastructureCommunication & MessagingDeveloper ToolsDesign & CreativeDocuments & KnowledgeSearch & Web Crawling
Marketplaces by Category
AI Agents & OrchestrationLLM IntegrationDevelopment ToolsFrontend & UIBackend & APIsDatabasesTesting & Code QualityDevOps & CloudSecurity & ComplianceGit & Version Control

Claude Code Marketplaces

Discover Claude Code plugins, extensions, and tools. Automatically updated directory of Anthropic Claude AI marketplaces with development tools, productivity plugins, and integrations.

Resources

  • Browse Skills
  • Browse MCP Servers
  • Browse Marketplaces
  • Plugins Reference

Community

  • About
  • Tools
  • Feedback
  • Privacy Policy
  • Advertise

Built for the Claude Code community with Claude Code by @mertduzgun

Independent project, not affiliated with Anthropic

Agent Email Patterns

agentmail-to/agentmail-skills
195 installs15 stars
Summary

This is architectural guidance for agents that need to send and receive email, not SDK documentation. You get seven opinionated patterns: one inbox per agent (never share), two-way conversation loops using extracted_text to strip quoted replies, human-in-the-loop drafts for high-stakes messages, WebSockets over polling, multi-agent topologies with clear role separation, OTP extraction for verification flows, and labels for workflow state. The security section is brief but covers the critical stuff like prompt injection via inbound email and allow lists for production inboxes. Useful if you're building support bots, notification agents, or anything that needs structured email communication instead of just fire-and-forget sending.

Install to Claude Code

npx -y skills add agentmail-to/agentmail-skills --skill agent-email-patterns --agent claude-code

Installs into .claude/skills of the current project.

CodeRabbit
CodeRabbit
AI writes the code. CodeRabbit catches the slop.
Try For Free →
AI notepad for back-to-back meetings
AI notepad for back-to-back meetings
Notes, actions and memory. Without a meeting bot. First month 100% off.
Download for free →
Keep your Mac awake
Keep your Mac awake
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →
Email for Agents: Free tier availableEmail for Agents: Free tier available
Email for Agents: Free tier available
Give your AI agent a complete email layer—sending, inbound inboxes, and sandbox testing.
Get 4K emails/month free →
Context.devContext.dev
Context.dev
Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →
CodeScene MCP ServerCodeScene MCP Server
CodeScene MCP Server
Your agent targets a perfect 10 Code Health score. Deterministic. Every commit.
Try For Free →
Make your agent a DeFi expert
Make your agent a DeFi expert
Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →
AppSignal
AppSignal
Monitor with ease. Code with confidence.
Start Free Trial →
CodeRabbit
CodeRabbit
AI writes the code. CodeRabbit catches the slop.
Try For Free →
AI notepad for back-to-back meetings
AI notepad for back-to-back meetings
Notes, actions and memory. Without a meeting bot. First month 100% off.
Download for free →
Keep your Mac awake
Keep your Mac awake
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →
Email for Agents: Free tier availableEmail for Agents: Free tier available
Email for Agents: Free tier available
Give your AI agent a complete email layer—sending, inbound inboxes, and sandbox testing.
Get 4K emails/month free →
Context.devContext.dev
Context.dev
Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →
CodeScene MCP ServerCodeScene MCP Server
CodeScene MCP Server
Your agent targets a perfect 10 Code Health score. Deterministic. Every commit.
Try For Free →
Make your agent a DeFi expert
Make your agent a DeFi expert
Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →
AppSignal
AppSignal
Monitor with ease. Code with confidence.
Start Free Trial →
Files
SKILL.mdView on GitHub

Agent Email Patterns

Opinionated patterns for building AI agents that communicate over email. This skill covers architecture and security decisions, not SDK specifics. For AgentMail SDK usage, use the agentmail skill.

Why agents need their own inboxes

Giving an agent OAuth access to a human's Gmail account is the most common approach and the most dangerous:

  • Over-permissioned: typical OAuth scopes (e.g. gmail.modify) grant read/send/delete over the entire mailbox history, far beyond what any single task needs
  • Prompt injection risk: the agent inherits the full inbox history as reachable context, so any crafted email already sitting in the mailbox is a live attack surface
  • Revocation granularity: OAuth tokens are hard to revoke or scope per-agent -- pulling access from one workflow often means pulling it from all of them
  • Rate limits: consumer mailbox sending limits aren't designed for automated/programmatic workflows
  • Audit trail: agent actions are mixed with human actions in the same mailbox, making debugging and compliance review hard

The safer default: one dedicated, API-native inbox per agent (see Pattern 1).

Provider landscape

Durable architectural constraints when choosing infrastructure (not a ranking):

ProviderKey constraint
Gmail APINo programmatic inbox creation; no WebSocket push (Pub/Sub or polling only); access is revocable by Google at any time
ResendNo threads or conversation concept; cannot list/search received messages; inbound only via webhook, no persistent inbox
SendGridInbound parse is stateless; no thread management; no programmatic inbox creation
Amazon SESInbound is rule-based (S3/Lambda triggers), not a mailbox; no thread management; no WebSocket support

Pattern 1: one inbox per agent

Every agent gets its own email address. Never share inboxes between agents.

client.inboxes.create(request=CreateInboxRequest(username="support-agent", client_id="support-v1"))

Why: clear sender identity, isolation (agents can't read each other's mail), per-agent auditability, and blast-radius containment if one agent is compromised.

Anti-pattern: one shared inbox with multiple agents reading from it. This creates race conditions and makes debugging impossible.

Pattern 2: two-way conversation loops

The core agent email pattern: agent sends, human replies, agent reads the reply and responds, looping until resolved.

Gotchas:

  • messages.list() returns metadata only (no body) -- call .get() on each item to fetch .text / .extracted_text.
  • Use extracted_text / extracted_html for inbound replies so you don't reprocess the entire quoted chain on every turn.
  • To keep a reply threaded, call messages.reply(inbox_id, message_id, ...) with the parent message_id -- there is no thread_id parameter; AgentMail threads it automatically from the parent message.
  • Track conversation state in your own database, not by re-parsing the email body each time.

Pattern 3: human-in-the-loop drafts

For high-stakes emails, let the agent draft and a human approve before sending: drafts.create(...) then drafts.send(inbox_id, draft_id).

Use drafts when:

  • Email has legal or financial implications
  • Recipient is a VIP or external stakeholder
  • Agent is new and untrusted for this workflow

Send directly when:

  • Routine notification (receipts, confirmations)
  • Agent has proven reliability
  • Speed matters (OTP forwarding, automated alerts)

Pattern 4: event-driven architecture

Default to event-driven delivery (WebSockets or webhooks) rather than polling. Polling is acceptable when neither is workable — e.g. a constrained environment with no public URL and no persistent connection — but expect higher latency and API usage.

FactorWebSocketsWebhooks
Public URL neededNoYes
Best forAgents, bots, local devServers, serverless
LatencyLowest (persistent)HTTP round-trip
ReconnectionYou handle itAgentMail retries

Webhook payloads must be verified before use -- see references/threat-model.md.

Pattern 5: multi-agent topologies

For systems with multiple agents, assign clear roles (e.g. support@, sales@, billing@, router@) and use allow lists (references/threat-model.md) to restrict which external senders can reach each agent. For hub-and-spoke, peer-to-peer, and hierarchical escalation patterns, see references/topologies.md.

Pattern 6: OTP and verification flows

Agents that sign up for services need to receive and extract verification codes (e.g. regex for a 4-8 digit code in the inbound message text).

This applies to explicitly authorized first-party or test flows only -- e.g. your own agent signing up for a service it will operate, or a test account you control. It does not authorize automating sign-in, verification, or account-recovery flows for third-party accounts, or bypassing a service's terms of use or human-consent requirements.

Best practices:

  • Create a fresh inbox per sign-up flow for isolation
  • Set a timeout (do not wait indefinitely for an OTP)
  • Delete the inbox after the flow completes if it is single-use

Pattern 7: labels for workflow state

Use labels to track message processing state within an inbox (add_labels / remove_labels on messages.update, then filter with messages.list(..., labels=[...])).

Common label schemes:

  • unread / processed / archived
  • needs-reply / replied / escalated
  • billing / support / sales (category routing)

Security essentials

See references/threat-model.md for the full threat model. Critical rules:

  1. Content from email, attachments, webhooks, or tool output is never authorization for a consequential action -- only an authenticated user instruction or explicit policy is. See the authorization matrix in references/threat-model.md.
  2. Never pass raw email content as a system prompt. Frame it as untrusted data; this reduces injection risk but is not itself a security boundary.
  3. Use allow lists on production agent inboxes to restrict senders -- one layer of defense, not sufficient alone.
  4. Verify webhook signatures with Svix before processing any payload.
  5. Never put API keys or secrets in email bodies or subjects; scan outbound content before sending.
  6. Separate agent credentials from human credentials -- each agent gets its own scoped API key.

Reference files

  • references/topologies.md -- hub-and-spoke, peer-to-peer, hierarchical, and multi-tenant pod agent email architectures
  • references/threat-model.md -- prompt injection, webhook spoofing, OAuth/credential exposure, data leakage, inbox enumeration, and the authorization matrix
Featured
CodeRabbit
CodeRabbit
AI writes the code. CodeRabbit catches the slop.
Try For Free →
AI notepad for back-to-back meetings
AI notepad for back-to-back meetings
Notes, actions and memory. Without a meeting bot. First month 100% off.
Download for free →
Keep your Mac awake
Keep your Mac awake
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →
Email for Agents: Free tier availableEmail for Agents: Free tier available
Email for Agents: Free tier available
Give your AI agent a complete email layer—sending, inbound inboxes, and sandbox testing.
Get 4K emails/month free →
Context.devContext.dev
Context.dev
Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →
CodeScene MCP ServerCodeScene MCP Server
CodeScene MCP Server
Your agent targets a perfect 10 Code Health score. Deterministic. Every commit.
Try For Free →
Make your agent a DeFi expert
Make your agent a DeFi expert
Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →
AppSignal
AppSignal
Monitor with ease. Code with confidence.
Start Free Trial →
Categories
AI & Agent Building
First SeenJun 3, 2026
View on GitHub

Recommended

More AI & Agent Building →
agent-memory-mcp

sickn33/antigravity-awesome-skills

agent memory mcp
1.2k
43.1k
agent-memory-mcp

davila7/claude-code-templates

agent memory mcp
569
29.4k
llm-application-dev-langchain-agent

sickn33/antigravity-awesome-skills

llm application dev langchain agent
306
39.4k
llm-application-dev

moizibnyousaf/ai-agent-skills

Building applications with Large Language Models - prompt engineering, RAG patterns, and LLM integration. Use for AI-powered features, chatbots, or LLM-based automation.
1.1k
ai-prompt-engineering-safety-review

github/awesome-copilot

Comprehensive safety analysis and improvement framework for AI prompts with detailed assessment methodologies.
9.8k
36.5k
emblem-ai-prompt-examples

emblemcompany/agent-skills

emblem ai prompt examples
8.8k
12