Email OTP
PassAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent with its purpose, but it stores temporary-mail credentials, OTPs, and validation links locally, so users should treat its state files as sensitive.
This skill appears benign and purpose-aligned. Before installing, understand that it creates a third-party temporary mailbox, stores that mailbox’s credentials and token under ~/.tempmail_otp/, and saves the most recent OTP/link there. Do not use it for important personal, financial, or recovery accounts, and delete ~/.tempmail_otp/ after use.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installation may appear lighter-weight than it is; the skill needs a local Python runtime to work.
The registry metadata under-declares the Python runtime needed to execute the included helper script. This appears to be a packaging/metadata gap rather than hidden behavior because the README and SKILL.md openly document python3 usage.
Required binaries (all must exist): none ... Code file presence: scripts/tempmail_otp.py
Declare python3 as a required binary in the registry metadata so users can see the runtime requirement before installation.
Anyone who can read the state file may be able to access the temporary mailbox and its messages.
The skill stores credentials and a JWT token for the temporary mailbox. This is expected for the mail.tm integration and is disclosed, but the token grants access to that inbox.
`~/.tempmail_otp/account.json` - Account credentials (JWT token, email, password)
Use the skill only for disposable or low-risk signups, keep the state directory private, and remove ~/.tempmail_otp/ when finished.
A later local process or user could read a saved OTP or validation link while it is still valid.
The skill persists OTPs and validation links across sessions. This is central to the workflow and disclosed, but these files may contain short-lived authentication material.
`~/.tempmail_otp/last_otp` - Contains the last extracted OTP code; `~/.tempmail_otp/last_link` - Contains the first interesting validation link found
Delete ~/.tempmail_otp/ after completing verification, and avoid using this skill for sensitive accounts.