ClawHub

Shitty Email

Create and manage temporary disposable email inboxes

MIT-0 · Free to use, modify, and redistribute. No attribution required.
3 · 1.8k · 1 current installs · 1 all-time installs
by@johanski
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description match the SKILL.md: it documents creating inboxes, polling, fetching message bodies, extending and deleting inboxes. The declared helper binaries (curl, jq) are the exact tools used in the examples. No unrelated environment variables, credentials, or config paths are requested.
Instruction Scope
Instructions focus on calls to the explicit API (https://shitty.email). They require storing and reusing a session token (the token is effectively an inbox credential). The SKILL.md does not specify how/where to store tokens securely (memory vs persistent storage vs logs). Also note a minor bug in the example: ' {token}=$(...)' appears to be a typo and should be 'token=$(...)' or similar; this is a correctness issue, not a coherence issue. No instructions ask the agent to read unrelated local files or other credentials.
Install Mechanism
This is an instruction-only skill with no install spec and no code files. That minimizes disk-write and installation risk.
Credentials
The skill requests no environment variables or external credentials, which is proportional. However, the service issues an inbox 'token' that grants full access to received emails — treat that token like a secret. The skill does not define secure handling/storage for that token, so the agent's implementation could inadvertently persist or leak it (via logs, long-term storage, or other skills).
Persistence & Privilege
always is false and the skill does not request special system-wide privileges. Autonomous invocation (default) would allow the agent to call the external service by itself; this is expected for a networked skill and is not by itself suspicious. Be aware that autonomous calls will transmit email addresses and possibly content to the external service.
Assessment
This skill appears to do only what it says: create and manage temporary inboxes via https://shitty.email using curl/jq. Before installing: (1) Recognize that any email sent to these inboxes (and the verification tokens) is visible to the external service — do NOT use for personal, financial, or otherwise sensitive accounts. (2) The session token returned by the service is effectively a secret that grants access to received messages; confirm how the agent will store or log that token and avoid persistent or shared logging of it. (3) The SKILL.md examples have a small shell typo; treat examples as illustrative. (4) If you do not trust the domain/service operator, prefer a reputable disposable-email provider or run your own disposable inbox service. If you want a deeper risk assessment, provide the agent's storage/secret-handling policy or more information about how tokens are persisted and who can access them.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.2
Download zip
latestvk97bgkkxf957qs1n4jras3rxr980e266

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Shitty Email - Temporary Inbox Skill

Create disposable email addresses instantly. Perfect for signups, testing, and privacy.

When to Use This Skill

Use this skill when the user needs to:

  • Create a temporary/disposable email address
  • Sign up for a service without using their real email
  • Test email sending functionality
  • Wait for a verification or confirmation email
  • Extract codes or links from emails

Important: Token Management

When you create an inbox, you receive a token. This token is required for ALL subsequent operations. Always store and reuse the token for the same inbox session.

API Reference

Base URL: https://shitty.email

Create a New Inbox

curl -s -X POST https://shitty.email/api/inbox | jq

Response:

{
  "email": "abc1234@shitty.email",
  "token": "a1b2c3d4e5f6..."
}

Store both the email and token - you need the token for all other operations.

Check Inbox for Emails

curl -s -H "X-Session-Token: {token}" https://shitty.email/api/inbox | jq

Response:

{
  "emails": [
    {
      "id": "msg_a1b2c3d4e5",
      "from": "sender@example.com",
      "subject": "Welcome!",
      "date": "2026-02-03T12:00:00Z"
    }
  ]
}

Get Full Email Content

Use the id field from the inbox response (e.g. msg_a1b2c3d4e5). This is NOT the email address.

curl -s -H "X-Session-Token: {token}" https://shitty.email/api/email/{email_id} | jq

Response includes html and text fields with the email body.

Extend Inbox Lifetime

Inboxes expire after 1 hour by default. Extend by 1 hour (max 24 hours total):

curl -s -X POST -H "X-Session-Token: {token}" https://shitty.email/api/inbox/extend | jq

Delete Inbox

Clean up when done:

curl -s -X DELETE -H "X-Session-Token: {token}" https://shitty.email/api/inbox

Common Workflows

Wait for a Verification Email

Poll the inbox until an email matching criteria arrives:

# Create inbox
RESPONSE=$(curl -s -X POST https://shitty.email/api/inbox)
EMAIL=$(echo $RESPONSE | jq -r '.email')
{token}=$(echo $RESPONSE | jq -r '.token')

# Poll for emails (check every 5 seconds, max 60 seconds)
for i in {1..12}; do
  EMAILS=$(curl -s -H "X-Session-Token: ${token}" https://shitty.email/api/inbox)
  COUNT=$(echo $EMAILS | jq '.emails | length')
  if [ "$COUNT" -gt "0" ]; then
    echo "Email received!"
    echo $EMAILS | jq '.emails[0]'
    break
  fi
  sleep 5
done

Extract Verification Code

After receiving an email, extract common verification patterns:

# Get email content
CONTENT=$(curl -s -H "X-Session-Token: ${token}" https://shitty.email/api/email/${email_id} | jq -r '.text')

# Common patterns to look for:
# - 6-digit codes: grep -oE '[0-9]{6}'
# - Verification links: grep -oE 'https?://[^ ]+verify[^ ]*'

Best Practices

  1. Reuse tokens - Don't create new inboxes unnecessarily
  2. Poll responsibly - Wait 5 seconds between checks
  3. Clean up - Delete inbox when done to free resources
  4. Extend if needed - If waiting for slow emails, extend the inbox

Limitations

  • Inboxes expire after 1 hour (extendable to 24 hours max)
  • Email size limit: 1MB
  • Rate limited: Don't spam inbox creation
  • No outbound email - receive only

Example Conversation

User: "Create a temp email for me" → Call POST /api/inbox, return the email address, store the token

User: "Sign me up for newsletter.example.com" → Use the temp email to fill the signup form, then poll for confirmation

User: "Did I get the confirmation?" → Check inbox using stored token, report results

User: "What's the verification code?" → Fetch email content, extract the code pattern, return it

User: "I'm done, delete the inbox" → Call DELETE /api/inbox with the token

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…