ClawHub
Back to skill
v1.0.2

Shitty Email

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:18 AM.

Analysis

This is a transparent disposable-email helper, but it routes mail through an external service and uses a mailbox token that should be treated carefully.

GuidanceThis skill appears suitable for low-risk temporary email use, testing, and disposable signups. Do not use it for accounts where you need long-term recovery, private correspondence, or sensitive verification flows. Remember that messages go to an external disposable-email provider and that the generated token controls the inbox until it expires or is deleted.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
curl -s -X POST https://shitty.email/api/inbox | jq

The skill instructs use of curl and jq to call the disclosed external API. This is expected for the purpose and limited to inbox operations, but it is still command-driven network activity.

User impactUsing the skill will send requests to shitty.email and depend on that service for inbox creation and mail retrieval.
RecommendationUse it only for disposable-email tasks you intend to route through this service, and review actions that fetch, extend, or delete an inbox.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
SKILL.md
bins: [curl, jq]

The skill documentation declares reliance on curl and jq while the supplied registry requirements list no required binaries. This is an under-declared operational dependency, not hidden installation behavior.

User impactThe skill may fail or require the user to provide these tools if they are not already available.
RecommendationEnsure curl and jq are already installed from trusted sources, and prefer registry metadata that accurately declares required tools.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
This token is required for ALL subsequent operations. Always store and reuse the token for the same inbox session.

The generated token is effectively a bearer credential for the temporary mailbox, allowing later checks, message retrieval, extension, and deletion.

User impactAnyone or any agent context with the token could read or manage that temporary inbox, including verification messages sent to it.
RecommendationTreat the token like a temporary password, avoid using these inboxes for important long-term accounts, and delete the inbox when finished.