Email is the most obvious candidate for AI automation and also the one that most commonly goes wrong. Setups either do too much (the agent sends replies you did not intend) or too little (it flags everything as important and saves no time). Getting the scope right matters more than the implementation details. Here is a workflow that threads that needle with a human-in-the-loop design. — The three safe actions An email triage agent should do exactly three things: Triage priority. Read the inbox, classify each email as urgent / normal / low / noise, and surface the urgent ones. This is read-only, low-risk, and high-value. The agent does not need to understand the nuance of every email - it needs to catch the ones that cannot wait. Summarize threads. For any thread longer than two messages, produce a one-paragraph summary: what was asked, what was decided, what is outstanding. This alone saves significant time when returning to a long thread after a break. Draft a reply for review. Write a response based on the thread context and any instructions you give. The draft goes to a holding area, not to the recipient. You review, edit, and send. The agent never sends. That last constraint is not a limitation - it is the design. The moment an agent can send email autonomously, the risk profile changes entirely. A misclassified urgency is recoverable. An accidental reply to a client or a misdirected sensitive message is not. — Building the human-in-the-loop checkpoint structurally The checkpoint needs to be structural, not just instructional. Telling the agent “always ask before sending” is not enough, because agents can be instructed around it or make mistakes under edge cases. The structural version: The agent writes drafts to a staging file or folder, never to a send queue Sending is a separate tool that requires explicit invocation with a draft ID That send tool is not exposed to the agent at all - only to you In OpenClaw terms: the agent has a draft_reply tool that writes to drafts/pending/ . It does not have a send_email tool. You review the pending folder and send manually, or via a separate human-triggered flow. This architecture makes it structurally impossible for the agent to send without your action, regardless of how it is prompted. — Labeling and routing without full understanding One thing agents do reliably: apply consistent labeling rules to high volumes of email. You do not need the agent to understand every email. You need it to apply a ruleset: Emails from a specific domain or sender list go to a priority label Emails containing specific keywords (invoice, deadline, urgent, contract) get flagged Newsletters, notifications, and automated messages get archived or labeled noise Anything with an attachment from an unknown sender gets a security-review label These rules are deterministic enough that the agent applies them consistently. They do not require semantic understanding - they require pattern matching, which models do well. Write the rules explicitly in the agent prompt. Do not rely on the model to infer them from your preferences. The more specific your rules, the more consistent the output. — The 20% agents handle badly Even a well-designed email agent will mishandle a predictable subset of messages. Knowing what they are lets you route around them. Emotionally sensitive messages. Complaints, personal conflicts, bad news. The agent can draft a reply but the draft will often be too formal, too brief, or miss the human dimension entirely. Flag these for manual handling. High-stakes ambiguous requests. When the right response depends on context the agent does not have (internal politics, relationship history, a recent conversation the agent was not part of), the draft will be plausible but wrong in subtle ways. Flag emails where the sender relationship is complex. Anything requiring a judgment call with consequences. Contract terms, pricing decisions, commitments on behalf of others. The agent can summarize the ask but should not draft the response without an explicit instruction for that specific email. Multi-party threads with conflicting positions. The agent will synthesize a middle ground that satisfies nobody. These need a human read. The simplest routing rule: add a label “needs-human” for any email that matches the above categories. The agent applies the label and skips drafting. You deal with them directly. — A minimal OpenClaw setup The agent needs: An email reading skill (IMAP or API access to your inbox) A draft_reply tool that writes to a local staging folder A label_email tool that applies labels without modifying content A summarize_thread tool that writes summaries to a readable file A HEARTBEAT.md entry or scheduled cron to trigger the triage run The agent does not need: A send tool Access to your contacts or calendar (unless summarizing meeting invites) Any write access to email beyond labeling Start with just triage and labeling for the first week. Add summarization once that is reliable. Add drafting once you trust the labeling. Building incrementally means you catch problems when they are small. What email workflows have you automated with AI? Curious what categories others have found the agent handles well vs poorly.

Building an email triage agent with OpenClaw: sort, summarize, draft

Tomas

Email is the most obvious candidate for AI automation and also the one that most commonly goes wrong. Setups either do too much (the agent sends replies you did not intend) or too little (it flags everything as important and saves no time). Getting the scope right matters more than the implementation details.

Here is a workflow that threads that needle with a human-in-the-loop design.

—

The three safe actions

An email triage agent should do exactly three things:

Triage priority. Read the inbox, classify each email as urgent / normal / low / noise, and surface the urgent ones. This is read-only, low-risk, and high-value. The agent does not need to understand the nuance of every email - it needs to catch the ones that cannot wait.

Summarize threads. For any thread longer than two messages, produce a one-paragraph summary: what was asked, what was decided, what is outstanding. This alone saves significant time when returning to a long thread after a break.

Draft a reply for review. Write a response based on the thread context and any instructions you give. The draft goes to a holding area, not to the recipient. You review, edit, and send. The agent never sends.

That last constraint is not a limitation - it is the design. The moment an agent can send email autonomously, the risk profile changes entirely. A misclassified urgency is recoverable. An accidental reply to a client or a misdirected sensitive message is not.

—

Building the human-in-the-loop checkpoint structurally

The checkpoint needs to be structural, not just instructional. Telling the agent “always ask before sending” is not enough, because agents can be instructed around it or make mistakes under edge cases.

The structural version:

The agent writes drafts to a staging file or folder, never to a send queue
Sending is a separate tool that requires explicit invocation with a draft ID
That send tool is not exposed to the agent at all - only to you

In OpenClaw terms: the agent has a draft_reply tool that writes to drafts/pending/. It does not have a send_email tool. You review the pending folder and send manually, or via a separate human-triggered flow.

This architecture makes it structurally impossible for the agent to send without your action, regardless of how it is prompted.

—

Labeling and routing without full understanding

One thing agents do reliably: apply consistent labeling rules to high volumes of email.

You do not need the agent to understand every email. You need it to apply a ruleset:

Emails from a specific domain or sender list go to a priority label
Emails containing specific keywords (invoice, deadline, urgent, contract) get flagged
Newsletters, notifications, and automated messages get archived or labeled noise
Anything with an attachment from an unknown sender gets a security-review label

These rules are deterministic enough that the agent applies them consistently. They do not require semantic understanding - they require pattern matching, which models do well.

Write the rules explicitly in the agent prompt. Do not rely on the model to infer them from your preferences. The more specific your rules, the more consistent the output.

—

The 20% agents handle badly

Even a well-designed email agent will mishandle a predictable subset of messages. Knowing what they are lets you route around them.

Emotionally sensitive messages. Complaints, personal conflicts, bad news. The agent can draft a reply but the draft will often be too formal, too brief, or miss the human dimension entirely. Flag these for manual handling.

High-stakes ambiguous requests. When the right response depends on context the agent does not have (internal politics, relationship history, a recent conversation the agent was not part of), the draft will be plausible but wrong in subtle ways. Flag emails where the sender relationship is complex.

Anything requiring a judgment call with consequences. Contract terms, pricing decisions, commitments on behalf of others. The agent can summarize the ask but should not draft the response without an explicit instruction for that specific email.

Multi-party threads with conflicting positions. The agent will synthesize a middle ground that satisfies nobody. These need a human read.

The simplest routing rule: add a label “needs-human” for any email that matches the above categories. The agent applies the label and skips drafting. You deal with them directly.

—

A minimal OpenClaw setup

The agent needs:

An email reading skill (IMAP or API access to your inbox)
A draft_reply tool that writes to a local staging folder
A label_email tool that applies labels without modifying content
A summarize_thread tool that writes summaries to a readable file
A HEARTBEAT.md entry or scheduled cron to trigger the triage run

The agent does not need:

A send tool
Access to your contacts or calendar (unless summarizing meeting invites)
Any write access to email beyond labeling

Start with just triage and labeling for the first week. Add summarization once that is reliable. Add drafting once you trust the labeling. Building incrementally means you catch problems when they are small.

What email workflows have you automated with AI? Curious what categories others have found the agent handles well vs poorly.