Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
cloudflare-mail-address-creator
v1.0.0Create one or many ordinary email addresses in a Cloudflare temporary mail system through the `/admin/new_address` admin API and return structured results. U...
⭐ 0· 50·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code and SKILL.md align with the stated purpose (calling an admin API to create addresses). However, the skill is branded as "Cloudflare" yet the API host is mail-api.suilong.online (not a cloudflare.com domain). This may be legitimate (self-hosted service behind Cloudflare) but is a provenance mismatch worth verifying.
Instruction Scope
The runtime instructions are scoped to collecting name/domain/prefix, running the included script, and returning JSON/CSV output. The skill only reads optional input files (names file) and may write an output file if requested. It does not instruct broad system reconnaissance or unrelated data collection.
Install Mechanism
There is no install step (instruction-only plus a packaged Python script). Nothing is downloaded at install time. Risk surface is limited to executing the included script locally and its network calls.
Credentials
The skill requires admin credentials at runtime (x-admin-auth / bearer tokens, etc.), which is appropriate for calling an admin API. But the registry metadata declares no required env vars (so callers might not be warned up-front), and the API domain differs from the Cloudflare brand in the name. You should confirm the API URL and the owner of suilong.online before providing high-privilege credentials.
Persistence & Privilege
always:false and no install scripts that persist to system config. The skill's agent policy allows implicit invocation (default), meaning an agent could call this skill autonomously if given credentials — combine that with admin tokens only when you are comfortable with autonomous operations.
What to consider before installing
This skill appears to implement mailbox creation logic correctly, but do not hand it admin credentials without verification. Before installing or running: (1) confirm the API URL (https://mail-api.suilong.online) is the intended and trusted endpoint and not an impostor; (2) verify the skill publisher/owner and provenance of suilong.online (the skill advertises "Cloudflare" but does not use cloudflare.com); (3) prefer passing short-lived credentials at runtime (not embedding secrets), and consider using a scoped, minimal-privilege admin token; (4) if you allow the agent to invoke skills autonomously, be cautious — an autonomous agent with an admin token could create or modify mailboxes without further consent. If you need higher assurance, request the publisher to: declare required env vars in the registry metadata, document the endpoint ownership, and provide a reproducible provenance (source repository or homepage).Like a lobster shell, security has layers — review code before you run it.
latestvk977xw3wjfemg3reqm9azbbtdx83jh58
License
MIT-0
Free to use, modify, and redistribute. No attribution required.