temp-mail
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent runs clear on the wrong disposable address, messages in that temporary inbox could be deleted.
The skill includes a user-invoked DELETE operation that clears all messages for the specified temporary mailbox. This matches the stated purpose, but it is still a destructive action for that inbox.
url = f"{VORTEX_URL}/emails/{urllib.parse.quote(addr, safe='')}/clear" ... r = await client.delete(url, headers=headers, timeout=10)Only use the clear command for addresses you intend to empty, and confirm the target address before deletion.
Temporary email messages may become visible to the Vortex service and to the agent session when fetched.
Fetching and polling send the mailbox address to the hosted Vortex API and print returned messages into the agent context. This is disclosed and purpose-aligned, but inbox contents may include verification links or codes.
VORTEX_URL = os.environ.get("VORTEX_URL", "https://vtx-api.skyfall.dev") ... r = await client.get(url, headers=headers, timeout=10) ... print(msgs)Avoid using this skill for sensitive accounts, personal information, or important recovery flows; treat disposable inbox contents as not private.
Manual installation may fail or require an extra dependency install before the script runs.
The requirements file omits rich while the script imports rich at startup. This is a minor setup/dependency mismatch rather than hidden behavior, but users relying on the pip install path may need to install the same dependencies declared in the script header.
httpx>=0.24.0 # rich is optional, not required for core functionality
Use the documented uv path or ensure both httpx and rich are installed; maintainers should align requirements.txt, script metadata, and registry requirements.