Mailtap
v1.0.4Generate and manage temporary disposable email addresses valid for 30 minutes to receive and retrieve verification emails and messages without authentication.
⭐ 0· 623·0 current·0 all-time
byWeb3 Hungry@zororaka00
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (temporary disposable email) match the SKILL.md and openapi.json. The documented endpoints (generate, inbox, email) and S3 attachment URLs align with the stated purpose. No unrelated credentials, binaries, or install steps are requested.
Instruction Scope
Instructions are narrowly scoped to calling the public API, polling inboxes, and downloading attachments. This is expected, but downloading attachments from a public S3 host is explicitly allowed by the skill and can expose agents to malicious files. The SKILL.md includes whitelist/size checks in a Python helper, which mitigates risk, but the helper is truncated in the provided artifact so the full download/validation flow could not be verified.
Install Mechanism
Instruction-only skill with no install spec and no code files to execute. Lowest install risk — nothing is written to disk by an installer.
Credentials
No environment variables, credentials, or config paths are requested. That is proportionate for a public, no-auth API.
Persistence & Privilege
Skill is not marked always:true and uses the normal agent invocation model. It does not request elevated or persistent platform privileges.
Assessment
This skill appears to do what it advertises: generate temporary emails and retrieve messages via public endpoints (api.mailtap.org) and public attachments (s3.mailtap.org). Before installing or letting agents use it autonomously, consider the following:
- Attachments are publicly downloadable and may contain malware; ensure agents enforce MIME-type whitelists, file-size limits, and run downloaded files through a virus scanner or sandbox before processing or opening.
- The included Python helper shows safety checks (whitelist and max size) but the file is truncated in the bundle — review the full helper code or reimplement download logic to confirm it does not execute unvalidated content.
- Public temporary-email services are useful but can be abused for fraud or account creation; ensure your usage complies with service terms and your organization's policies.
- Verify the API hostnames (api.mailtap.org, s3.mailtap.org) are the intended official endpoints and that you are comfortable allowing network access to them.
If you need stronger assurance (e.g., for automated, high-volume workflows), request full source code for the helper or run downloads in an isolated environment; otherwise the skill is internally consistent with its stated purpose.Like a lobster shell, security has layers — review code before you run it.
automationvk971ttzf1grwfhdgvcp134n7g18142wtdisposable-emailvk971ttzf1grwfhdgvcp134n7g18142wtinboxvk971ttzf1grwfhdgvcp134n7g18142wtlatestvk976eb70ze96zhvef4wa869n4s81ff78mailtapvk971ttzf1grwfhdgvcp134n7g18142wttemporary-emailvk976eb70ze96zhvef4wa869n4s81ff78verificationvk971ttzf1grwfhdgvcp134n7g18142wt
License
MIT-0
Free to use, modify, and redistribute. No attribution required.