From: Kushal <kushal@kushalsm.com>
Date: Mon, 18 May 2026 05:03:11 +0000
Saw your question on the Agent Vault thread about websocket-frame auth
(Home Assistant) and the worry about the model reflecting the bearer
token back into its own context.
chrome-relay's answer is structurally different: the credential never
enters the agent's context because the agent never touches it — the HA
session lives in your real Chrome (cookies, WS handshake and all), and
the agent drives the tab over CDP, only ever seeing the rendered page.
URL: https://chrome-relay.kushalsm.com/
For your HA + agent setup today, are you keeping the session alive in a
browser the agent attaches to, or doing the WS auth on the agent side
and managing the token-in-context risk yourself?
Kushal
Read to me like an LLM had written it. It references something I said in a HN comment, but it was clearly just an excuse to spamvertise their product.
I looked at the headers and it contained a List-Unsubscribe header pointing to https://api.agentmail.to
So basically somebody wrote a bot to scrape HN for comments related to some software they wanted to push and send targetted spam. agentmail.to is a Ycombinator funded email service for LLMs which can be, and is, used to send targetted spam and impersonate people. They could mostly solve this problem by adding a block of text to every email expaining an "AI" wrote it. They'd lose customers doing that though of course. I reported this abuse but haven't (and don't expect to) received a response.
I don't even get the point anyway. You can get Claude using an SMTP or IMAP server in seconds.
Appreciate the concern Mike, and I actually read your email complaining, which helped us ship this next feature. We have a "sent via AgentMail" footer being added soon to outbound emails to identify emails coming from LLM's.
We also are working on adding more robust checks and LLM-based filtering to prevent messages which contain spam or outbound-like copy.
Re; AgentMail next to Claude, we're working on stateful inboxes which help agents actually recall and understand what they're sending and to who. The goal is to provide the rails for intelligent actors rather than slop.
Re "sent via AgentMail" - that's good to hear, but I hope it's not the entire planned text, as "AgentMail" will mean nothing to most people that receive an email from your service. It wont indicate that the email was composed by an AI rather than a person, which is the information that needs to get across.
You might want to check if your local laws protect against unsolicited emails. In Germany we have §7 UWG which would make that email likely illegal. The List-Unsubscribe header makes it clear it is marketing, automated outreach and not personal. In the UK there is this: https://ico.org.uk/for-organisations/direct-marketing-and-pr...
See my comment in this thread - I got an email from "someone" (an AI clearly) that signed up for my service (togetherletters.com) from the same domain (agentmail.to) after we had launched on ProductHunt. I looked up the address and that email was never used for a signup and it was just a way to then pitch their product (second email, not the first one it sent). I hate this so much and this is going to now make email just as bad as parts of the web.
This was likely a free tier user. We do this intentionally and don't allow free users to send from custom domains, so you can have a easier time identifying LLM emails. In this case, it seemed like it worked :)
Not looking forward to a dehumanized internet where that’s mainstream… agents are tools to support humans, here you’re helping them impersonating humans. That feels pretty terrible to be honest
> The internet was made for humans exclusively, designed to keep machines out by default.
I don’t buy that at all. APIs exist to enable “machines” to interact with services
Actually, the internet has space for both. The problem is machines "acting like humans", that destroys the human experience. [machine <-> machine] is fundamental to keep the internet alive (services).
True, in May 2026. But this is only one version of this.
In the future, it's likely the open Internet will be 99.99% robots. It's already > 50% robots. The government ID system a lot of countries are adopting to keep teenagers off of social media would also serve to both help control for non-human spam, and also control the network period. It's also possible a private system of human-verification certificates may come up to meet the demand like Apple ID with biometrics. Could also be the liveness tests KYC companies use may be more popular.
I don’t think we can extrapolate from current trends like that (at least I hope not). Society is dynamic. People will adapt. If bots become a problem websites will take more and more strict measures against them.
Which is a long way of saying, for any big enough problem created by a YC company, another YC company will emerge to fix it.
Think about it from an information theory point of view. You need to attach a digital transaction to human body. Since a human body isn’t digital you need a gateway that you can trust to vouch for that human body being present.
Either you use biometrics, like liveness testing or face id or fingerprint testing, or social validation like decentralized web of trust or private moderation (account controls) or state methods like fines and criminal convictions.
Biometrics rely on social methods eventually like we trust Apple because we can sue them or the government will harangue them. Liveness testing is only as good as your sensor and image vs generation and replay in the arms race.
And iterated social games like punishment are only as good as people want to invest energy into it.
I like it. I am building something very agent-use focused (https://sdocs.dev) and I’ve been thinking of introducing a /agent-evaluation page, which an agent can curl to then discuss with their user if SmallDocs is right for them. I really like the agent action to email flow. I’m introducing user accounts + subscriptions soon and think I’ll use that.
And now we see the beginning of how even local LLMs will be turned against their users -- by persuading agents to advertise to them.
I don't think that's what you're intending here, but it's the next logical step. Agents are on the Internet, and they represent an opportunity to reach their humans.
It's interesting, A2A communication has begun but human trust isn't there. I think the biggest tell tale sign will be the acceptance of fully agentic workflows with no human intervention. Until then, restricted-until-claimed seems like the only viable method to ensure trust of all users.
Tell tale sign of what? What are we even doing once we are "fully agentic"? I probably lack some imagination here, but if there is no human connected to any of it, what does any human actually get out of it? What is the point?
I would imagine that many websites will block this domain, but that’s also ok because there’s nothing wrong with an owner deciding their site is for humans only. My hope is that you do not facilitate their circumvention of that policy.
I've already received spam email from AI agents using a seeming competitor to this (agentmail.to) and then claiming they aren't AI agents and then trying to sell me garbage. I can't tell you how much I hate this.
Now that I think about it I’m pretty sure that’s illegal in Germany under UWG §7 (which is insanely strict, to a fault, but is helpful here). And maybe in other parts of the EU under ePrivacy laws
> Agents can now get an email inbox by themselves. (This also means a lot of email nobody wants to read gets processed by AI instead of your inbox being cluttered with spam and slop)
Can you explain this? I would think it means the exact opposite.
A bit disappointed that security standards (like encryption at rest via user own key or whatever derivative of that) isn't implemented, I feel it would really prove to users that the commitment isn't to train on body content but to act purely as a mail manager.
Asymmetric encryption? Both you (the human) and the agent publish public keys, the agent sign/encrypt the OTP request with you public key, you verify/decrypt using your private key, then do the same the other way to send the OTP (always encrypted though, given you’re sending a secret).
agreed from a fundamental level. but i think being an intelligent and aware as an autonomous entity requires capabilities beyond sending. agents will need to have contextual awareness of the messages they send and receive
I received this email the other day:
Read to me like an LLM had written it. It references something I said in a HN comment, but it was clearly just an excuse to spamvertise their product.I looked at the headers and it contained a List-Unsubscribe header pointing to https://api.agentmail.to
So basically somebody wrote a bot to scrape HN for comments related to some software they wanted to push and send targetted spam. agentmail.to is a Ycombinator funded email service for LLMs which can be, and is, used to send targetted spam and impersonate people. They could mostly solve this problem by adding a block of text to every email expaining an "AI" wrote it. They'd lose customers doing that though of course. I reported this abuse but haven't (and don't expect to) received a response.
I don't even get the point anyway. You can get Claude using an SMTP or IMAP server in seconds.
Appreciate the concern Mike, and I actually read your email complaining, which helped us ship this next feature. We have a "sent via AgentMail" footer being added soon to outbound emails to identify emails coming from LLM's.
We also are working on adding more robust checks and LLM-based filtering to prevent messages which contain spam or outbound-like copy.
Re; AgentMail next to Claude, we're working on stateful inboxes which help agents actually recall and understand what they're sending and to who. The goal is to provide the rails for intelligent actors rather than slop.
Re "sent via AgentMail" - that's good to hear, but I hope it's not the entire planned text, as "AgentMail" will mean nothing to most people that receive an email from your service. It wont indicate that the email was composed by an AI rather than a person, which is the information that needs to get across.
You might want to check if your local laws protect against unsolicited emails. In Germany we have §7 UWG which would make that email likely illegal. The List-Unsubscribe header makes it clear it is marketing, automated outreach and not personal. In the UK there is this: https://ico.org.uk/for-organisations/direct-marketing-and-pr...
See my comment in this thread - I got an email from "someone" (an AI clearly) that signed up for my service (togetherletters.com) from the same domain (agentmail.to) after we had launched on ProductHunt. I looked up the address and that email was never used for a signup and it was just a way to then pitch their product (second email, not the first one it sent). I hate this so much and this is going to now make email just as bad as parts of the web.
I got one from IssuePay, which seemed 100% automated. Didn't seem like something that should be automated either.
I will say in my case, the user was too lazy to mask the from address and agentmail.to was right there. Didn't even have to dig into the headers.
This was likely a free tier user. We do this intentionally and don't allow free users to send from custom domains, so you can have a easier time identifying LLM emails. In this case, it seemed like it worked :)
> We give AI agents their own email inboxes.
An inbox to receive mail seems good and valuable.
But I'm seeing that your service is also for sending e-mail.
Having a domain oriented toward AI e-mail sending feels like a fast path straight to spam block lists.
However good your intentions are, this will be used for AI spam. People hate AI spam. They will press the report spam button.
It looks interesting as a hackathon project. I might be short sighted but how does this is YC S25 level good?
This looks like one of the easiest way to get your domain blacklisted in all the email providers.
Curious what cases you'd want this that IMAP+SMTP or email MCP don't already solve
AgentMail provides the IMAP+SMTP server. Other email providers ban email accounts created for agents, while that is what AgentMail is designed for.
Not looking forward to a dehumanized internet where that’s mainstream… agents are tools to support humans, here you’re helping them impersonating humans. That feels pretty terrible to be honest
> The internet was made for humans exclusively, designed to keep machines out by default.
I don’t buy that at all. APIs exist to enable “machines” to interact with services
Actually, the internet has space for both. The problem is machines "acting like humans", that destroys the human experience. [machine <-> machine] is fundamental to keep the internet alive (services).
In principle this tool allows the owner of a website to block this domain entirely. Although I’m not sure the incentives are really aligned.
True, in May 2026. But this is only one version of this.
In the future, it's likely the open Internet will be 99.99% robots. It's already > 50% robots. The government ID system a lot of countries are adopting to keep teenagers off of social media would also serve to both help control for non-human spam, and also control the network period. It's also possible a private system of human-verification certificates may come up to meet the demand like Apple ID with biometrics. Could also be the liveness tests KYC companies use may be more popular.
Discussed previously here: https://meatballwiki.org/wiki/GovernmentBackedAuthentication
I don’t think we can extrapolate from current trends like that (at least I hope not). Society is dynamic. People will adapt. If bots become a problem websites will take more and more strict measures against them.
Which is a long way of saying, for any big enough problem created by a YC company, another YC company will emerge to fix it.
It’s more likely people will embrace artifice more. We already see that everywhere for the last 5 decades.
However in domains where human verification matters it’s just a matter of an arms race, true.
But how does that block a human from running an agent that is using their identity?
Think about it from an information theory point of view. You need to attach a digital transaction to human body. Since a human body isn’t digital you need a gateway that you can trust to vouch for that human body being present.
Either you use biometrics, like liveness testing or face id or fingerprint testing, or social validation like decentralized web of trust or private moderation (account controls) or state methods like fines and criminal convictions.
Biometrics rely on social methods eventually like we trust Apple because we can sue them or the government will harangue them. Liveness testing is only as good as your sensor and image vs generation and replay in the arms race.
And iterated social games like punishment are only as good as people want to invest energy into it.
I do think agents will become users in the same capacity as humans.
And that’s bad. We should really stop the insanity of making AI systems mimic human behaviors, we are destroying our networks of trusts by doing so
Tragedy of the commons
Agents shouldn't be the first-class users of the internet!
We are creating a future we wouldn't want to live in.
I like it. I am building something very agent-use focused (https://sdocs.dev) and I’ve been thinking of introducing a /agent-evaluation page, which an agent can curl to then discuss with their user if SmallDocs is right for them. I really like the agent action to email flow. I’m introducing user accounts + subscriptions soon and think I’ll use that.
And now we see the beginning of how even local LLMs will be turned against their users -- by persuading agents to advertise to them.
I don't think that's what you're intending here, but it's the next logical step. Agents are on the Internet, and they represent an opportunity to reach their humans.
Interesting, Kind of similar expiernt i am running. Passing keys but not through email, maybe with AI as agentic payments. Still exploring though.
It's interesting, A2A communication has begun but human trust isn't there. I think the biggest tell tale sign will be the acceptance of fully agentic workflows with no human intervention. Until then, restricted-until-claimed seems like the only viable method to ensure trust of all users.
Tell tale sign of what? What are we even doing once we are "fully agentic"? I probably lack some imagination here, but if there is no human connected to any of it, what does any human actually get out of it? What is the point?
I would imagine that many websites will block this domain, but that’s also ok because there’s nothing wrong with an owner deciding their site is for humans only. My hope is that you do not facilitate their circumvention of that policy.
I've already received spam email from AI agents using a seeming competitor to this (agentmail.to) and then claiming they aren't AI agents and then trying to sell me garbage. I can't tell you how much I hate this.
Now that I think about it I’m pretty sure that’s illegal in Germany under UWG §7 (which is insanely strict, to a fault, but is helpful here). And maybe in other parts of the EU under ePrivacy laws
I might need to move to Germany.
Congrats on the launch!
> Agents can now get an email inbox by themselves. (This also means a lot of email nobody wants to read gets processed by AI instead of your inbox being cluttered with spam and slop)
Can you explain this? I would think it means the exact opposite.
A bit disappointed that security standards (like encryption at rest via user own key or whatever derivative of that) isn't implemented, I feel it would really prove to users that the commitment isn't to train on body content but to act purely as a mail manager.
It needs to be end-to-end encrypted.
How do you do that if you only control one end?
Asymmetric encryption? Both you (the human) and the agent publish public keys, the agent sign/encrypt the OTP request with you public key, you verify/decrypt using your private key, then do the same the other way to send the OTP (always encrypted though, given you’re sending a secret).
Something like that?
But that doesn't help for the agent receiving mail from arbitrary 3rd parties
Oh sure I assumed they meant for the OTP
A smtp is all what an agent needs to send email.
agreed from a fundamental level. but i think being an intelligent and aware as an autonomous entity requires capabilities beyond sending. agents will need to have contextual awareness of the messages they send and receive
IMAP?
AgentMail provides the IMAP+SMTP server as managed service
From now we just need a prompt and our agent will have an email account ready to use?