ClawHub
Back to skill
v1.0.0

cloudflare-mail-address-creator

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:17 AM.

Analysis

The skill is coherent for creating temporary mail addresses, but it uses an admin mail credential and may return mailbox access tokens/passwords, so users should verify the backend and handle outputs carefully.

GuidanceBefore installing or invoking this skill, confirm that `mail-api.suilong.online` or any overridden API URL is your intended mail backend, use a scoped admin credential, review batch requests carefully, and protect any returned JWTs, passwords, or exported result files.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
Create one or many ordinary email addresses in a Cloudflare temporary mail system through the `/admin/new_address` admin API ... Run [scripts/create_address.py](scripts/create_address.py) for single or batch creation.

The skill intentionally performs a mutating admin API operation, including batch creation. This is disclosed and purpose-aligned, but users should notice the account/backend impact.

User impactThe agent may create mailbox records in the configured mail system when asked, including multiple addresses at once.
RecommendationUse only with explicit user intent, verify the target domain and batch list, and avoid broad or accidental bulk creation.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
scripts/create_address.py
admin_auth = args.admin_auth or os.getenv(ENV_ADMIN_AUTH)
...
"x-admin-auth": admin_auth

The helper handles an admin credential to authorize mailbox creation. This is expected for the stated admin API purpose, but it is privileged access.

User impactAnyone with access to the provided admin secret may be able to create mailboxes in the target system.
RecommendationProvide the least-privileged admin secret possible, prefer environment variables over pasting secrets into prompts, verify the API endpoint before use, and rotate the credential if it is exposed.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityMediumConfidenceHighStatusNote
scripts/create_address.py
"jwt": data.get("jwt"),
"password": data.get("password")

Successful results may include mailbox access material, and the skill instructs the agent to return the script output directly.

User impactMailbox JWTs or passwords may appear in the agent conversation, logs, or exported files.
RecommendationTreat returned JSON/CSV files as sensitive, avoid sharing them unnecessarily, and clean up or rotate mailbox credentials if exposed.