Temporam Temp Mail
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears coherent and purpose-aligned for temporary email access, but it uses a Temporam API key and brings full email contents into the agent context.
This skill is reasonable for temporary email workflows. Before installing, make sure you are comfortable providing a Temporam API key, only use it for mailboxes and verification flows you control, and treat any retrieved email content as sensitive and untrusted.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with the API key may be able to use the user's Temporam API access, including any quota or mailbox access associated with that key.
The skill reads a service API key from the environment and sends it as a bearer credential to Temporam. This is expected for the stated API integration, but it is credential-sensitive and should be explicitly understood by the user.
API_KEY = os.environ.get("TEMPORAM_API_KEY") ... return {"Authorization": f"Bearer {API_KEY}"}Store the API key only in the intended sandbox or runtime environment, avoid sharing logs or environments that may expose it, and rotate the key if it is accidentally disclosed.
Verification codes, links, and email contents may become visible to the agent, and malicious email text could try to influence the agent's behavior.
The skill intentionally retrieves external email bodies into the agent context. Email content can contain sensitive verification codes or untrusted text that should not be treated as instructions.
Fetches the full content of a specific email ... extract the verification link or code from the `content` field.
Use the skill only for temporary mailboxes you control, treat fetched email bodies as untrusted data, and verify links or codes before acting on them.
If used carelessly, the agent could help complete sign-up or verification steps the user did not intend or is not authorized to perform.
The skill supports automated email-verification workflows. This is aligned with its purpose, but verification actions can affect third-party accounts or services and should stay under user control.
Periodically call `get_latest_email` to poll for the verification email ... Complete the verification process.
Only invoke the verification workflow for services and accounts where the user has authorization, and require user confirmation before completing account-affecting steps.
Dependency behavior may vary over time depending on the package versions installed.
The README instructs installing unpinned Python dependencies manually. This is common and purpose-aligned for a Python MCP skill, but dependency versions and provenance are not constrained in the artifacts.
pip install requests mcp
Install dependencies from trusted package sources and consider pinning versions in a controlled environment.