ClawHub

AntiTempmail

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward AntiTempMail API helper; the main consideration is that checked email addresses are sent to a third-party service.

Install this only if you intend to use AntiTempMail as a third-party email validation provider. Treat every checked address, especially bulk lists, as shared with that provider and possibly logged or cached. Protect the API key, avoid committing it to files, and review the provider's privacy and retention terms before using real customer or user data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README instructs users to validate email addresses through the AntiTempMail API but does not clearly disclose that submitted addresses are transmitted to a third-party service, which can create privacy, compliance, and user-consent issues. Because email addresses are personal data in many contexts, this omission can lead operators to unintentionally expose customer or user data outside their environment.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs users to send email addresses to a third-party service but does not clearly warn that user-provided identifiers are being transmitted off-platform. Email addresses are personal data in many contexts, and the skill itself notes that requests are logged, which increases privacy and compliance risk if operators use it on real user data without disclosure or consent.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The documentation tells users to store an API key in an environment variable but provides no guidance on protecting that secret from shell history exposure, accidental echoing, process inspection, or logging in CI/CD environments. This is a documentation security weakness rather than an exploit primitive, but it can contribute to credential leakage in real deployments.

External Transmission

Medium
Category
Data Exfiltration
Content
### Check Single Email

```bash
curl -X POST https://antitempmail.com/api/v1/email/check \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $ANTITEMPMAIL_API_KEY" \
  -d '{"email": "test@tempmail.com"}'
Confidence
95% confidence
Finding
curl -X POST https://antitempmail.com/api/v1/email/check \ -H "Content-Type: application/json" \ -H "X-API-Key: $ANTITEMPMAIL_API_KEY" \ -d '{"email": "test@tempmail.com"}' ``` Response: ```jso

External Transmission

Medium
Category
Data Exfiltration
Content
# Read emails from file (one per line)
EMAILS=$(cat email_list.txt | jq -R . | jq -s .)

curl -X POST https://antitempmail.com/api/v1/email/check/bulk \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $ANTITEMPMAIL_API_KEY" \
  -d "{\"emails\": $EMAILS}" | \
Confidence
97% confidence
Finding
curl -X POST https://antitempmail.com/api/v1/email/check/bulk \ -H "Content-Type: application/json" \ -H "X-API-Key: $ANTITEMPMAIL_API_KEY" \ -d

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal