Detect Executive Impersonation Attempts
Identify business email compromise attacks where fraudsters impersonate executives to request wire transfers or sensitive data.
Triage Suspicious Emails
Analyze a suspicious email's headers, links, and content to quickly determine whether it is a phishing attempt before taking any action.
Tool
Employees report dozens of suspicious emails every week, and the security team can't manually investigate each one at speed. At the same time, a single phishing email that gets through — impersonating IT support, a C-suite executive, or a trusted vendor — can result in credential theft or wire fraud. The triage step is the bottleneck.
Phishing Email Checker's `check_email` skill analyzes headers for spoofing indicators, scans embedded links against threat feeds, and evaluates the content for social engineering patterns. Within seconds you have a verdict with the specific signals that drove it — not a single score with no explanation.
IT security teams, SOC analysts, and operations staff use this to clear the email triage backlog faster, give employees reliable answers, and generate documented verdicts for incident records.
Agent Guides
Claude
- Connect ToolRouter in Claude: claude mcp add toolrouter -- npx -y toolrouter-mcp
- Copy the raw email content, headers, and any embedded links into the conversation.
- Ask Claude to run `check_email` via `phishing-email-checker` on the email.
ChatGPT
- Connect ToolRouter in ChatGPT: {"mcpServers":{"toolrouter":{"command":"npx","args":["-y","toolrouter-mcp"]}}}
- Paste the full email content and headers and specify the audience — the employee who reported it, the security team, or both.
- Ask ChatGPT to run `check_email` via `phishing-email-checker`.
Copilot
- Connect ToolRouter in Copilot: {"mcpServers":{"toolrouter":{"command":"npx","args":["-y","toolrouter-mcp"]}}}
- Extract the raw email content and headers from your email processing pipeline or test fixture.
- Ask Copilot to run `check_email` via `phishing-email-checker` on the extracted email.
OpenClaw
- Connect ToolRouter in OpenClaw: openclaw mcp add toolrouter -- npx -y toolrouter-mcp
- Export the email backlog — headers and content — from your email security gateway or ticketing system.
- Run `phishing-email-checker` with `check_email` for each email and collect results in a normalized schema.
Related Use Cases
Audit Email Links Before Forwarding
Check all links embedded in an email before forwarding it to colleagues or clicking them yourself.