temp-mail
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: Developer: Version: Description: OpenClaw Agent Skill Suspicious High-Entropy/Eval files: 1 The skill is designed to interact with the Vortex temporary email API, allowing creation, fetching, polling, and clearing of email addresses. The `SKILL.md` provides clear instructions for using the skill and does not contain any prompt injection attempts. The `temp_mail.py` script uses `httpx` to communicate with the explicitly stated `vtx-api.skyfall.dev` endpoint, reads configuration from environment variables, and does not access sensitive local files, execute arbitrary commands, or exfiltrate data beyond its stated purpose. Dependencies listed in `requirements.txt` are standard and benign.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent runs clear on the wrong disposable address, messages in that temporary inbox could be deleted.
The skill includes a user-invoked DELETE operation that clears all messages for the specified temporary mailbox. This matches the stated purpose, but it is still a destructive action for that inbox.
url = f"{VORTEX_URL}/emails/{urllib.parse.quote(addr, safe='')}/clear" ... r = await client.delete(url, headers=headers, timeout=10)Only use the clear command for addresses you intend to empty, and confirm the target address before deletion.
Temporary email messages may become visible to the Vortex service and to the agent session when fetched.
Fetching and polling send the mailbox address to the hosted Vortex API and print returned messages into the agent context. This is disclosed and purpose-aligned, but inbox contents may include verification links or codes.
VORTEX_URL = os.environ.get("VORTEX_URL", "https://vtx-api.skyfall.dev") ... r = await client.get(url, headers=headers, timeout=10) ... print(msgs)Avoid using this skill for sensitive accounts, personal information, or important recovery flows; treat disposable inbox contents as not private.
Manual installation may fail or require an extra dependency install before the script runs.
The requirements file omits rich while the script imports rich at startup. This is a minor setup/dependency mismatch rather than hidden behavior, but users relying on the pip install path may need to install the same dependencies declared in the script header.
httpx>=0.24.0 # rich is optional, not required for core functionality
Use the documented uv path or ensure both httpx and rich are installed; maintainers should align requirements.txt, script metadata, and registry requirements.