maxhub-temp-mail
ReviewAudited by ClawScan on May 13, 2026.
Overview
The skill mostly matches a temporary-email service, but the bundled code exposes a generic provider request helper that can use your API key beyond the documented temp-mail endpoints.
Review this skill before installing. Only use it if you trust MaxHub/aconfig.cn, provide a dedicated API key where possible, set clear limits before any polling or chained checks, and avoid using temporary mailboxes for sensitive personal information.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If this exported helper is available to the agent or other code, it could use the user's provider API key for aconfig.cn endpoints outside the documented temp-mail workflow, potentially causing unexpected data access or charges.
The low-level request function accepts an arbitrary path and method, attaches the MAXHUB_API_KEY, and is exported, while the skill is documented as only three temp-mail APIs.
async function _rawRequest(path, params = {}, method = 'GET') { const url = `${BASE_URL}${path}`; ... [AUTH_HEADER]: resolveCredential() ... } ... module.exports = { request, callApi, API_REGISTRY, ... }Restrict exported calls to the API_REGISTRY temp-mail endpoints, enforce an allowlist/prefix check, and require explicit user approval for any non-documented provider API call.
Anyone using the skill needs to provide a MaxHub credential, and API calls may consume account balance.
The skill requires a provider API key, which is expected for MaxHub access but still grants account/billing authority.
| MAXHUB_API_KEY | 是 | MaxHub API密钥,访问 https://www.aconfig.cn 注册获取 |
Use a dedicated, least-privileged API key if available, monitor usage, and avoid sharing the key with unrelated skills or agents.
Unbounded polling could create repeated provider calls and small recurring charges.
The skill describes periodic inbox polling, which is purpose-aligned for waiting on mail but does not specify a polling interval, maximum duration, or stop condition in this artifact.
创建邮箱后,定时调用收件箱API检查新邮件,发现新邮件后可调用详情API查看完整内容
Before polling, ask the user to confirm the interval, maximum attempts, and when to stop.
Temporary email data may remain in process memory for a short time and repeated identical requests may return cached data.
The optimization layer caches API responses briefly; temp-mail responses may include mailbox tokens, inbox metadata, or message contents.
cache: { maxSize: 50, defaultTTL: 3 * 60 * 1000 }Do not use the skill for sensitive personal information, and clear/restart the agent session if temporary mailbox contents should not remain in memory.
Users may be confused about what the skill actually does, although the implemented API endpoints are temp-mail focused.
This description includes unrelated video search/user analysis/trending capabilities, which do not match the temp-mail API catalog.
临时邮箱服务——临时邮箱、temp mail、隐私邮箱等平台数据的智能采集与分析工具,支持视频搜索、用户分析、热门趋势追踪等能力
Correct the documentation and remove unrelated boilerplate so users can accurately judge the skill's behavior.