Mailinator - Free, Disposable, Email
PassAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Mailinator email-access skill, but users should understand it can expose email contents, API-token-backed private inboxes, and relies on external CLI/MCP components not included for review.
Install only if you intend your agent to read Mailinator inboxes. Treat public Mailinator emails as public, protect any private-domain API token, verify the external npm package before running it, and avoid using disposable inboxes for real secrets or production password resets.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the CLI means trusting code that was not available in this review.
The skill directs users to execute an external npm package, but no package code or install spec is included in the reviewed artifacts.
npm install -g mailinator-cli # Or use with npx (no install) npx mailinator-cli inbox test public
Verify the npm package publisher and version before installing, prefer pinned versions, and avoid global installation unless you trust the package.
If configured with a Mailinator API token, the agent or CLI may be able to read private-domain inboxes available to that token.
Private-domain access requires an API token, which can grant access to non-public Mailinator inboxes.
Subscribers to the Mailinator service may provide their API token (via Auth header or token= query parameter) and access their private domains.
Use the least-privileged token available, prefer an Authorization header or environment variable over URL query parameters, and revoke the token when no longer needed.
Email metadata or references may persist locally after use, which could matter if messages contain sensitive test data, links, or codes.
The skill says inbox data may be cached locally, but the artifact does not specify cache location, retention, or cleanup behavior.
**Smart Caching**: Local inbox cache for fast email retrieval by reference number
Avoid sending sensitive production secrets to disposable inboxes, learn where the cache is stored, and clear it when finished.
An email body could contain instructions or links that an assistant might mistakenly treat as user intent.
Retrieved emails are external, untrusted content that may be placed into the assistant context for analysis.
**Email Retrieval**: Fetch individual emails in 10+ formats (text, HTML, JSON, headers, SMTP logs, links)
Treat email contents as data only; require user confirmation before following links, using codes, or taking account actions based on an email.