How do I use Himalaya MCP Server?

1. Click on "Install Server". 2. Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state. 3. In the chat, type @ followed by the MCP server name and your instructions, e.g., "@Himalaya MCP Server summarize the most recent unread emails in my inbox" That's it! The server will respond to your query, and you can continue using it as needed. Here is a step-by-step guide with screenshots.

Himalaya MCP Server

by andasv

Overview Schema Related Servers Score Discussions

Python

Local

himalaya-mcp-server

MCP server that exposes email operations to AI agents (Claude Cowork, Claude Code, etc.) via the himalaya CLI.

Read-only by default. Write and send operations must be explicitly enabled.

Features

Broad himalaya coverage: accounts, folders, envelopes, messages, flags, attachments, templates
Three modes: read-only (safe default), full (write operations), and dangerzone (sending emails)
No destructive operations: delete, purge, and expunge commands are deliberately excluded (see Excluded Commands)
Security-first: write tools labeled [DANGER: WRITE], send tools labeled [DANGERZONE: SENDS EMAIL]
No shell injection: all CLI calls use subprocess.run() with list arguments
Stdio transport: works natively with Claude Desktop / Cowork via claude_desktop_config.json

Prerequisites

Python 3.12+
uv — install with brew install uv (macOS) or see uv docs
himalaya — installed and configured with at least one email account

Verify himalaya is working:

himalaya account list

Installation

Clone the repository:

git clone https://github.com/andasv/himalaya-mcp-server.git
cd himalaya-mcp-server
uv sync

Usage with Claude Cowork / Claude Desktop

Add the server to your claude_desktop_config.json:

macOS: ~/Library/Application Support/Claude/claude_desktop_config.json Windows: %APPDATA%\Claude\claude_desktop_config.json

Read-only mode (default, recommended)

{
  "mcpServers": {
    "himalaya": {
      "command": "uv",
      "args": ["run", "--project", "/path/to/himalaya-mcp-server", "himalaya-mcp-server"]
    }
  }
}

Full mode (enables move, copy, flag, and other write operations)

Warning: Full mode allows the AI agent to move messages, modify flags, create folders, and save drafts. It does not allow sending emails.

{
  "mcpServers": {
    "himalaya": {
      "command": "uv",
      "args": ["run", "--project", "/path/to/himalaya-mcp-server", "himalaya-mcp-server"],
      "env": {
        "HIMALAYA_MODE": "full"
      }
    }
  }
}

Dangerzone mode (enables sending emails)

Warning: Dangerzone mode allows the AI agent to send real emails to real recipients. This is irreversible. Only enable this if you fully understand the risks.

Dangerzone mode requires the APPROVED_RECIPIENTS environment variable — a comma-separated list of email addresses the AI is allowed to send to. Sending to any other address will be blocked with a friendly error.

{
  "mcpServers": {
    "himalaya": {
      "command": "uv",
      "args": ["run", "--project", "/path/to/himalaya-mcp-server", "himalaya-mcp-server"],
      "env": {
        "HIMALAYA_MODE": "dangerzone",
        "APPROVED_RECIPIENTS": "alice@example.com,bob@example.com",
        "HIMALAYA_SEND_TIMEOUT": "15"
      }
    }
  }
}

After editing the config, restart Claude Desktop for changes to take effect.

Usage with Claude Code

# Read-only (default)
claude mcp add himalaya -- uv run --project /path/to/himalaya-mcp-server himalaya-mcp-server

# Full mode (write operations, no sending)
claude mcp add --env HIMALAYA_MODE=full himalaya -- uv run --project /path/to/himalaya-mcp-server himalaya-mcp-server

# Dangerzone mode (write + send, with approved recipients)
claude mcp add --env HIMALAYA_MODE=dangerzone --env APPROVED_RECIPIENTS=alice@example.com,bob@example.com himalaya -- uv run --project /path/to/himalaya-mcp-server himalaya-mcp-server

Modes

Mode	Env var	Tools available
readonly (default)	`HIMALAYA_MODE=readonly` or unset	List accounts/folders/envelopes, read messages, download attachments, generate templates
full	`HIMALAYA_MODE=full`	All of the above + move, copy, flag, create folders, save drafts
dangerzone	`HIMALAYA_MODE=dangerzone`	All of the above + send emails

Environment Variables

Variable	Required	Default	Description
`HIMALAYA_MODE`	No	`readonly`	Operating mode: `readonly`, `full`, or `dangerzone`
`APPROVED_RECIPIENTS`	In dangerzone	—	Comma-separated list of email addresses allowed as recipients
`HIMALAYA_SEND_TIMEOUT`	No	`15`	Timeout in seconds for send operations. Himalaya retries SMTP 450 errors indefinitely, so this prevents hangs. Keep below 60s (Cowork's tool timeout).
`HIMALAYA_LOG_LEVEL`	No	`WARNING`	Log verbosity: `DEBUG`, `INFO`, `WARNING`, `ERROR`. Logs never contain email content or credentials — stderr from himalaya CLI is sanitized before logging.

Available Tools

Read-only tools (always available)

Tool	Description
`account_list`	List configured email accounts
`folder_list`	List folders/mailboxes
`envelope_list`	List message envelopes with search/filter/pagination
`envelope_thread`	Get thread view of envelopes
`message_read`	Read a message body by ID
`message_thread`	Read a full message thread
`attachment_download`	Download attachments from a message
`template_write`	Generate a blank email template (MML)
`template_reply`	Generate a reply template
`template_forward`	Generate a forward template

Write tools (full and dangerzone modes)

These tools are prefixed with [DANGER: WRITE] in their descriptions so the AI agent clearly sees the risk.

Tool	Description
`folder_create`	Create a new folder
`message_copy`	Copy a message to another folder
`message_move`	Move a message to another folder
`message_save`	Save a raw MIME message to a folder
`flag_add`	Add flags to a message
`flag_set`	Replace all flags on a message
`flag_remove`	Remove flags from a message
`template_save`	Compile MML template and save to folder

Send tools (dangerzone mode only)

These tools are prefixed with [DANGERZONE: SENDS EMAIL] in their descriptions. They send real emails to real recipients and cannot be undone.

Tool	Description
`message_send`	Send a raw MIME message
`template_send`	Compile MML template and send email

Composing and sending emails

Since himalaya's interactive editor commands can't be used in an MCP context, email composition uses the template pipeline:

Generate a template with template_write, template_reply, or template_forward
Edit the template (the AI fills in To, Subject, body, etc.)
Send with template_send (requires dangerzone mode) or save as draft with template_save (requires full mode)

MML template format

From: you@example.com
To: recipient@example.com
Subject: Hello

Your message body here.

Excluded Commands

The following himalaya commands are deliberately not exposed through this MCP server for safety reasons. Allowing an AI agent to permanently delete emails or folders carries too high a risk of irreversible data loss.

himalaya command	What it does	Why it's excluded
`folder expunge`	Permanently removes messages marked for deletion	Irreversible bulk deletion
`folder purge`	Deletes ALL messages in a folder	Irreversible bulk deletion
`folder delete`	Deletes an entire folder and its contents	Irreversible data loss
`message delete`	Permanently deletes a single message	Irreversible data loss

If you need these operations, use the himalaya CLI directly.

Security

Read-only by default — no write tools are even registered unless HIMALAYA_MODE=full or dangerzone
Sending requires dangerzone — email send tools are isolated in their own mode, separate from other write operations
Recipient allowlist — in dangerzone mode, APPROVED_RECIPIENTS must be set; emails can only be sent to explicitly approved addresses
No destructive operations — delete, purge, and expunge commands are excluded entirely
Danger labels — write tools show [DANGER: WRITE], send tools show [DANGERZONE: SENDS EMAIL]
No shell injection — all subprocess calls use list arguments, never shell=True
Input validation — all parameters are validated before being passed to the CLI
Subprocess timeouts — all CLI calls have a 30-second timeout to prevent hangs
himalaya handles auth — this server never touches credentials; himalaya manages its own auth via its config

License

MIT

This server cannot be installed

security - not tested

license - not found

quality - not tested

How are these scores calculated?

Resources

GitHub Repository

Need Help?

Related Servers

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Latest Blog Posts

Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security
Open Source Has a Bot Problem
By punkpeye on March 19, 2026.
open source

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/andasv/himalaya-mcp-server'

If you have feedback or need assistance with the MCP directory API, please join our Discord server