Ai Email No Human Interaction Needed
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is transparent about providing receive-only mailboxes, but it is designed to let an agent sign up for services and handle OTP/password-reset messages without human review.
Install only if you want an agent to create and monitor disposable receive-only email inboxes. Use it only for authorized, low-risk signups; require explicit approval before account creation, verification-code use, or password-reset handling; protect the generated API key; and delete mailboxes when finished.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could complete account signup or verification flows on services the user did not explicitly approve.
This frames the skill as a general-purpose way for an agent to create or verify accounts on arbitrary third-party services, without scoping the target service or requiring user confirmation.
Sign up for any service using the email address. Then read incoming mail via API.
Only use this with an explicit user-approved target service and account purpose. Require confirmation before creating accounts, submitting signup forms, or using verification codes.
If this mailbox is tied to an account, anyone or any agent with the mailbox API key could receive security codes or reset links for that account.
OTPs and password reset links are credential-like account-security material. The skill does not define safeguards around whose accounts may be reset or verified.
Use when an agent needs to sign up for a service, receive verification codes/OTPs, get password reset links, or read incoming emails.
Treat the mailbox API key and address as credentials. Do not use this for important personal, financial, business, or recovery accounts unless the user explicitly accepts that risk.
Sensitive emails and codes may remain accessible through the provider API for up to 30 days or until the mailbox is deleted.
The external provider stores and returns full email contents, and messages may include verification codes, links, or other sensitive information.
GET /v1/mailbox/{id}/messages/{msgId} | Full message (text + HTML) ... Message retention: 30 days.Protect the API key, delete mailboxes after use, avoid routing sensitive or long-lived account recovery mail through this service, and treat incoming email content as untrusted data.