Theoretically you should be creating a "read email" CLI tool and letting agents interact with it in a chroot sandbox.

LLMs are much more proficient with bash and --help than they are with bespoke API protocols.

Treat LLMs like you would a junior programmer - keep things as generic and obvious as you can.

Easy. What a cron script (that runs as root) that populate a maildir that the agent (restricted user) has access to. The. you restrict network access to the internet, and have it send you its findings by mail (local mail server).