The emails go through quickbooks/accounting software, Clawbolt doesn't have any direct email client. Use of tools is on a gradual permission basis like Claude code, and Clawbolt doesn't have any general code access or web access. I think you highlight an important point though that prompt injection continues to be a hazard of AI agent use, though tools continue to be developed to fight against it. The goal is to lock Clawbolt down as much as possible to help users avoid the security hazards of systems like openclaw, but this is definitely something that we'll need to watch and be careful about!