ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Temporam Temp Mail

v0.1.1

Provides temporary email receiving functionality using the Temporam API. Use for: generating temporary email addresses, listing emails for a given address, r...

0· 206·0 current·0 all-time
by@shulkme
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The described capabilities (generate addresses, list emails, fetch content, poll latest) match the included client and MCP server code and the Temporam API endpoints. However the registry metadata declares no required environment variables or primary credential while the SKILL.md and code require a TEMPORAM_API_KEY — this mismatch is unexpected.
Instruction Scope
Runtime instructions are narrowly scoped to calling the Temporam API and using the provided TemporamClient/mcp tools. They only direct the agent to use the TEMPORAM_API_KEY and do not ask to read unrelated files, system state, or external endpoints beyond api.temporam.com.
!
Install Mechanism
There is no install spec despite included Python code that depends on external packages (requests, mcp/FastMCP). README suggests pip install requests mcp, but dependencies are not declared in the skill metadata. Lack of an install spec increases the chance the runtime environment will be missing required packages.
!
Credentials
The code and SKILL.md require a single API credential (TEMPORAM_API_KEY), which is proportionate for this purpose. The problem is metadata and registry fields do not declare this required env var or primary credential — the omission is an incoherence that could mislead users into not providing the required key or thinking the skill needs none.
Persistence & Privilege
The skill is not force-included (always: false) and does not request elevated privileges or system-wide config changes. Autonomous invocation is allowed (default) but not combined with other high-risk factors here.
What to consider before installing
This skill appears to do what it says (interact with Temporam), but metadata and packaging are incomplete. Before installing: (1) verify and set the TEMPORAM_API_KEY in the sandbox (the SKILL.md and code require it even though the registry metadata omits it); (2) run the skill in an isolated sandbox since it will fetch email contents (these may include verification codes or sensitive links); (3) ensure Python dependencies (requests, mcp/FastMCP) are installed or add an install step; (4) confirm you trust the Temporam service and the skill source (check the referenced GitHub repo/owner); (5) consider disabling autonomous invocation or limiting scope if you do not want the agent to use temporary emails without explicit approval. If the author can update the metadata to declare TEMPORAM_API_KEY and dependencies, the inconsistencies would be resolved.

Like a lobster shell, security has layers — review code before you run it.

latestvk975kc4a649d2jwys0axay57th84xev9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments