ClawHub

Temporam Temp Mail

Security checks across malware telemetry and agentic risk

Overview

This appears to be a straightforward Temporam temporary-email integration, with expected sensitivity around API keys and email contents.

Install only if you are comfortable giving the runtime a Temporam API key. Use it for temporary inboxes you control, avoid logging or sharing retrieved email contents, and treat verification links or codes as sensitive untrusted data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README explicitly promotes retrieving full email contents, which commonly includes verification codes, personal messages, links, and other sensitive data, but it provides no privacy, retention, masking, or consent guidance. In the context of a temp-mail skill, this capability is expected, but the lack of warnings or handling guidance increases the risk of accidental exposure, over-collection, or misuse of sensitive inbox data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly retrieves full email contents, which can contain verification links, one-time codes, personal data, or other sensitive communications, but it does not warn users about the privacy implications. In an agent setting, this can normalize exposing or logging sensitive mailbox content more broadly than necessary.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The description advertises the ability to list and retrieve email content for arbitrary temporary addresses without warning about the privacy and misuse implications. In this context, that omission can normalize or encourage unauthorized access to inbox contents, especially because the skill is positioned for automation and verification workflows that could be applied to third-party addresses.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill sends user-supplied email addresses and retrieved email contents to an external third-party API, but the tool definitions do not clearly disclose that this data leaves the local agent environment. In an agent/tooling context, this can expose sensitive inbox contents or identifiers without the user's informed consent, especially if the caller assumes processing is local.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal