ClawHub

Disposable Email

v1.0.3

Create disposable Mail.tm inboxes and programmatically read incoming emails/OTP codes. Use when asked to generate a temporary email, poll inbox messages, ext...

1· 89·1 current·1 all-time
by@fantaclaw-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included scripts and SKILL.md. The bundled Python scripts call only the Mail.tm API to create accounts, obtain a bearer token, list messages, read messages, and extract OTPs — which is exactly what a disposable-email skill should do. There are no unrelated binaries, credentials, or config paths requested.
Instruction Scope
SKILL.md instructs the agent to run the bundled scripts and describes expected JSON outputs. The scripts only perform network calls to https://api.mail.tm and local file writes when the explicit --save option is used. The instructions do not ask the agent to read unrelated files, environment variables, or transmit data to other endpoints.
Install Mechanism
There is no install spec; this is an instruction + script bundle that uses only the Python standard library (urllib/json/etc.). Nothing is downloaded from arbitrary URLs or installed into uncommon locations.
Credentials
The skill declares no env vars or credentials. It generates Mail.tm accounts and tokens at runtime (returned via stdout/JSON). Those tokens are mailbox-level credentials and the SKILL.md appropriately warns to keep them private. No unrelated secrets are requested.
Persistence & Privilege
The skill is user-invocable and not always-enabled. It does not modify other skill or system configurations. It can write one result file if the user supplies --save (normal for this workflow).
Assessment
This skill appears to do what it says: create Mail.tm inboxes and read incoming messages/OTPs. Things to consider before installing or running it: (1) the scripts print mailbox tokens and can optionally save results to disk — treat those tokens like passwords and avoid running in environments where stdout or logs are shared; (2) disposable domains can be blocked by some services, so don't use this for critical production verification; (3) although the code only contacts api.mail.tm, be cautious if you later instruct an agent to forward inbox content — that could leak OTPs; (4) if you need more reliable CI usage, consider a paid/managed inbox provider. Overall the package is coherent and proportional to its stated purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk97esnh5ssry3aw14jtx2r67wh836mva

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Disposable Email

Create and read temporary Mail.tm inboxes for testing email flows.

Use bundled scripts

  • Create inbox + token:

    • python3 scripts/create_inbox.py
    • Returns JSON with address, password, token, accountId, domain.

  • List messages:

    • python3 scripts/read_inbox.py --token <TOKEN> --list

  • Read latest message:

    • python3 scripts/read_inbox.py --token <TOKEN> --latest

  • Wait for OTP from incoming mail:

    • python3 scripts/read_inbox.py --token <TOKEN> --wait-otp --timeout 120 --interval 3
    • Default OTP regex: \\b(\\d{4,8})\\b
    • Override regex with --otp-regex.

  • End-to-end (create inbox + wait for first message/OTP):

    • python3 scripts/e2e_otp.py --timeout 120 --interval 3
    • First line emits inbox_created JSON (address/password/token).
    • Then emits one of: otp_found, message_received_no_otp, or timeout.
    • Add --save ./otp-result.json to persist the latest emitted result to disk.

Workflow

  1. Run create_inbox.py and share the generated email address.
  2. Trigger email delivery to that address.
  3. Poll with read_inbox.py (--latest or --wait-otp).
  4. Return sender, subject, createdAt, and message text/OTP.

Notes

  • Free temp domains can be blocked by some production services.
  • Keep token private; treat it like mailbox access credentials.
  • Prefer stable paid inbox providers for CI if reliability is critical.

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…