ClawHub

Disposable Email

Security checks across malware telemetry and agentic risk

Overview

This skill transparently creates and reads temporary Mail.tm inboxes, but users must treat its tokens, passwords, emails, and OTPs as sensitive.

Install only if you need disposable email automation for authorized testing or accounts you control. Running it will contact Mail.tm, create a temporary mailbox, and expose mailbox credentials and OTPs in command output; avoid shared terminals, CI logs, committed result files, or public agent traces, and delete any saved OTP result files when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script makes outbound requests to Mail.tm to create a new account and fetch an authentication token, but provides no disclosure, confirmation, or guardrail before transmitting data over the network. In a skill specifically designed to create disposable inboxes and automate OTP retrieval, this behavior directly enables anonymous account creation and use of external infrastructure, which increases abuse potential even if the code is not overtly malicious.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script prints the generated email address, password, and bearer token to stdout, exposing active credentials to shell history, logs, CI output, agent traces, or any downstream component that captures standard output. Because the token grants access to mailbox contents, leakage could let another party read verification emails or OTPs and take over flows relying on that inbox.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script emits the full inbox object on creation and again includes both the inbox credentials/token and full message contents when an OTP is found or a message is received. That exposes disposable email account access, bearer tokens, and OTP codes to stdout and optionally to disk via --save, which can be captured by logs, parent processes, CI systems, or other users on the host. In this skill's context, the whole purpose is to automate email verification, so leaking these values directly enables account takeover of flows being tested or abused.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal