Shadow Number
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is openly a disposable-phone signup helper, but it can automatically spend crypto and complete third-party phone verification through an unknown external service.
Install only if you understand the legal and service-policy implications of using disposable numbers. Use a dedicated low-balance wallet, approve every paid purchase manually, avoid sensitive or financial accounts, and verify the external API operator before giving the agent any wallet key or signup task.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could help create or verify accounts using disposable numbers on services such as Google, Telegram, PayPal, or social platforms, which may violate service rules or enable abuse.
The instructions direct the agent to use browser/API actions to complete SMS verification on third-party signup flows, not merely to display a phone number.
Use this skill when you need to sign up on a website that requires phone verification... Navigates to the target website and enters the number... Enters the OTP to complete verification.
Require explicit user confirmation for each target site and each verification attempt, and use only where the site permits disposable numbers and the user has a legitimate reason.
A wallet key may be exposed to the agent environment, and repeated retries or failed signups could spend funds without a clear cap.
The skill needs wallet/payment authority and says payments occur automatically, while the provided registry metadata declares no required credentials or environment variables.
requires:\n env:\n - SHADOW_WALLET_KEY ... your agent wallet will automatically pay ~$0.10 USDC on Base when the server returns HTTP 402, then retry.
Do not use a main wallet; use a dedicated low-balance wallet, require approval before every paid request, declare the credential in metadata, and set a strict spending limit.
The external service operator can see order activity and OTP-related data, and users have limited artifact evidence about who operates the payment-gated API.
The skill depends on a hard-coded external API for purchases and OTP retrieval, but the supplied metadata lists no source repository or homepage to establish provider provenance.
SHADOW_API_URL=https://extraordinary-charisma-production.up.railway.app
Verify the provider and its privacy/payment terms before use; prefer a documented service with clear ownership, stable API documentation, and auditable payment behavior.
The provider involved in the temporary-number flow can observe OTPs associated with the disposable number order.
OTP codes are retrieved through the external Shadow API, which is expected for this skill but means account verification codes transit through a third-party provider.
GET https://extraordinary-charisma-production.up.railway.app/api/smspva/otp/{orderId} ... Extract `data.sms.code` — that is your OTP.Avoid using this for sensitive or high-value accounts, and assume the phone number and OTP flow are visible to the external provider.