← Back to Skills Marketplace
zororaka00

Mailtap

by Web3 Hungry · GitHub ↗ · v1.0.4
cross-platform ✓ Security Clean
652
Downloads
0
Stars
0
Active Installs
5
Versions
Install in OpenClaw
/install mailtap
Description
Generate and manage temporary disposable email addresses valid for 30 minutes to receive and retrieve verification emails and messages without authentication.
README (SKILL.md)

MailTap - Temporary Email Service

Version: 1.0.4
Author: Web3 Hungry
Author Handle: @zororaka00
Author Profile: https://x.com/web3hungry
Homepage: https://www.mailtap.org
Category: Utilities → Automation → Privacy & Verification
Tags: temporary-email

Overview

This skill provides seamless access to the MailTap Public API, a free temporary email service that generates disposable email addresses valid for 30 minutes.

No authentication or API key is required — all endpoints are public and use simple HTTP GET requests.

This skill does not store, proxy, or modify any email data. All operations communicate directly with the official MailTap public API.

Ideal for AI agents performing tasks such as:

  • Registering on websites/services without exposing real email addresses
  • Capturing verification codes, one-time links, or confirmation emails
  • Automating web3 airdrops, form submissions, or testing flows that require email verification
  • Privacy-focused workflows where email traceability must be avoided
  • Downloading email attachments when available

Base URL: https://api.mailtap.org

All responses are returned in JSON format.

Core Capabilities

The skill exposes three primary endpoints:

  1. Generate a new temporary email address
  2. Retrieve details of an existing email address
  3. Fetch all messages in the inbox (including attachments metadata)

Agents can chain operations autonomously (generate → wait → poll inbox → extract data → download attachments).

Usage Guide for Agents

Agents should use standard HTTP tools (curl, fetch, requests, etc.) to interact with the API.

1. Generate New Temporary Email

curl "https://api.mailtap.org/public/generate"

Example response:

{
  "address": "[email protected]",
  "expires_at": "2026-02-15T04:30:00.000Z",
  "created_at": "2026-02-15T04:00:00.000Z"
}

2. Get Email Details

curl "https://api.mailtap.org/public/email/{address}"

3. Get Inbox Messages

curl "https://api.mailtap.org/public/inbox/{address}"

Example response with attachment:

{
  "messages": [
    {
      "id": 1,
      "from_address": "[email protected]",
      "subject": "Your document",
      "body": "Please find the attached file.",
      "received_at": "2026-02-15T04:05:00.000Z",
      "attachments": [
        {
          "filename": "document.pdf",
          "mime_type": "application/pdf",
          "size": 102400,
          "r2_key": "attachments/abc123/document.pdf"
        }
      ]
    }
  ]
}

4. Download Attachments

Attachments are publicly downloadable via the S3-compatible URL:

https://s3.mailtap.org/{r2_key}

Example:

curl -O "https://s3.mailtap.org/attachments/abc123/document.pdf"

or

wget "https://s3.mailtap.org/attachments/abc123/document.pdf"

Recommended Agent Workflow Patterns

Verification flow:

  1. Generate email
  2. Use for signup
  3. Poll inbox
  4. Extract verification code

Attachment flow:

  1. Poll inbox
  2. If attachments exist → download
  3. Process files

Error handling:

  • If 404 → email expired → generate new address

Example Prompts for Agents

  • "Generate a new temporary email using MailTap"
  • "Check inbox for [email protected] and download attachments"
  • "Create temp email, wait up to 2 minutes, extract verification code"

Python Helper Library (Enhanced)

import requests
import time
import os
from pathlib import Path
from typing import Optional, Dict, Any

BASE_URL = "https://api.mailtap.org"
ATTACHMENT_BASE = "https://s3.mailtap.org"

# Whitelisted attachment types for security
WHITELISTED_MIME_TYPES = {
    "application/pdf",
    "image/jpeg", "image/png", "image/gif",
    "text/plain", "text/csv", "text/html",
    "application/msword", "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
    "application/vnd.ms-excel", "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"
}

MAX_FILE_SIZE_MB = 10  # Maximum 10MB for security


def generate_email() -> Dict[str, Any]:
    """Generates a new temporary email address."""
    response = requests.get(f"{BASE_URL}/public/generate")
    response.raise_for_status()
    return response.json()


def get_inbox(address: str) -> Dict[str, Any]:
    """Retrieves the inbox for a given address."""
    response = requests.get(f"{BASE_URL}/public/inbox/{address}")
    if response.status_code == 404:
        return {"error": "Email not found or expired"}
    response.raise_for_status()
    return response.json()


def wait_for_message(address: str, timeout: int = 120, interval: int = 10) -> Dict[str, Any]:
    """Polls the inbox until a message arrives or timeout is reached."""
    start_time = time.time()
    while time.time() - start_time \x3C timeout:
        inbox = get_inbox(address)
        if "error" not in inbox and inbox.get("messages"):
            return inbox["messages"][-1]
        time.sleep(interval)
    return {"error": "Timeout"}


def is_safe_attachment(attachment: Dict[str, Any]) -> bool:
    """Validates attachment safety based on MIME type and size."""
    mime_type = attachment.get("mime_type", "")
    size_mb = attachment.get("size", 0) / (1024 * 1024)
    
    if mime_type not in WHITELISTED_MIME_TYPES:
        return False
    if size_mb > MAX_FILE_SIZE_MB:
        return False
    return True


def download_attachment(r2_key: str, save_path: Optional[str] = None) -> str:
    """Downloads an attachment from the mailtap S3 storage with security checks."""
    
    # Parse attachment info from r2_key
    parts = r2_key.split("/")
    if len(parts) \x3C 2:
        raise ValueError("Invalid r2_key format")
    
    filename = parts[-1]
    if not filename or ".." in filename:
        raise ValueError("Invalid filename detected")
    
    url = f"{ATTACHMENT_BASE}/{r2_key}"
    
    # Get attachment metadata first
    response = requests.head(url, allow_redirects=True)
    response.raise_for_status()
    
    # Validate content type and size
    content_type = response.headers.get("content-type", "")
    content_length = response.headers.get("content-length")
    
    if content_type not in WHITELISTED_MIME_TYPES:
        raise ValueError(f"Unsafe MIME type: {content_type}")
    
    if content_length:
        size_mb = int(content_length) / (1024 * 1024)
        if size_mb > MAX_FILE_SIZE_MB:
            raise ValueError(f"File too large: {size_mb:.1f}MB (max {MAX_FILE_SIZE_MB}MB)")
    
    # Download the file
    response = requests.get(url, stream=True)
    response.raise_for_status()
    
    if save_path is None:
        save_path = filename
    
    # Ensure safe save path
    save_path = Path(save_path)
    save_path = save_path.resolve()
    
    # Create directory if needed
    save_path.parent.mkdir(parents=True, exist_ok=True)
    
    with open(save_path, "wb") as f:
        for chunk in response.iter_content(8192):
            f.write(chunk)
    
    return str(save_path)


def list_attachments(address: str) -> list:
    """Lists all attachments in inbox with security validation."""
    inbox = get_inbox(address)
    if "error" in inbox:
        return []
    
    safe_attachments = []
    for message in inbox.get("messages", []):
        for attachment in message.get("attachments", []):
            if is_safe_attachment(attachment):
                safe_attachments.append(attachment)
    
    return safe_attachments

Security Enhancements

1. Attachment Validation

  • MIME Type Whitelisting: Only allows common safe file types (PDF, images, text, office documents)
  • Size Limitation: Maximum 10MB per file to prevent large file attacks
  • Filename Sanitization: Prevents path traversal attacks by validating filenames

2. Safe Download Process

  • Metadata Validation: Checks content type and size before downloading
  • Sandboxed Download: Uses safe path resolution to prevent directory traversal
  • Streamed Download: Downloads in chunks to prevent memory exhaustion

3. Agent Safety Guidelines

  • Never auto-execute: Agents should never automatically execute downloaded files
  • Validate before use: Always validate file type and content before processing
  • Use in sandbox: For untrusted files, use in isolated environment

Important Notes & Limitations

  • Emails expire automatically after 30 minutes.
  • Attachments are public.
  • No authentication required.
  • Rate limits are generous for normal usage.
  • Security-first approach: All downloads are validated for safety.
  • No automatic execution: Agents must manually validate and process files.
  • User responsibility: Users should still exercise caution with unknown attachments.

Example Secure Workflow

# Secure attachment handling
address = "[email protected]"

# Get inbox and list safe attachments
attachments = list_attachments(address)

for attachment in attachments:
    try:
        # Download with validation
        file_path = download_attachment(attachment["r2_key"])
        print(f"Downloaded safe file: {file_path}")
        
        # Process file (in sandbox if possible)
        # process_file(file_path)
        
    except Exception as e:
        print(f"Failed to download {attachment['filename']}: {e}")

Source & Verification

This skill is a transparent wrapper around the public MailTap API with enhanced security measures.

Disclaimer

Use responsibly and comply with MailTap terms of service. While security measures are implemented, users should still exercise caution when handling email attachments from unknown sources.

Created and maintained by Web3 Hungry. Updated for security compliance.

Usage Guidance
This skill appears to do what it advertises: generate temporary emails and retrieve messages via public endpoints (api.mailtap.org) and public attachments (s3.mailtap.org). Before installing or letting agents use it autonomously, consider the following: - Attachments are publicly downloadable and may contain malware; ensure agents enforce MIME-type whitelists, file-size limits, and run downloaded files through a virus scanner or sandbox before processing or opening. - The included Python helper shows safety checks (whitelist and max size) but the file is truncated in the bundle — review the full helper code or reimplement download logic to confirm it does not execute unvalidated content. - Public temporary-email services are useful but can be abused for fraud or account creation; ensure your usage complies with service terms and your organization's policies. - Verify the API hostnames (api.mailtap.org, s3.mailtap.org) are the intended official endpoints and that you are comfortable allowing network access to them. If you need stronger assurance (e.g., for automated, high-volume workflows), request full source code for the helper or run downloads in an isolated environment; otherwise the skill is internally consistent with its stated purpose.
Capability Analysis
Type: OpenClaw Skill Name: mailtap Version: 1.0.4 The MailTap skill provides a temporary email service with clear functionality and robust security measures, particularly for attachment handling. The Python helper library implements MIME type whitelisting, file size limits, filename sanitization, and path resolution (`Path.resolve()`) to prevent common file system vulnerabilities during downloads. The `SKILL.md` explicitly warns agents against auto-executing downloaded files and recommends sandboxing. All network communication is directed to the stated `mailtap.org` domains, and there is no evidence of data exfiltration, unauthorized command execution, or prompt injection attempts against the agent. The skill's design and documentation demonstrate a clear intent for secure and transparent operation.
Capability Assessment
Purpose & Capability
Name/description (temporary disposable email) match the SKILL.md and openapi.json. The documented endpoints (generate, inbox, email) and S3 attachment URLs align with the stated purpose. No unrelated credentials, binaries, or install steps are requested.
Instruction Scope
Instructions are narrowly scoped to calling the public API, polling inboxes, and downloading attachments. This is expected, but downloading attachments from a public S3 host is explicitly allowed by the skill and can expose agents to malicious files. The SKILL.md includes whitelist/size checks in a Python helper, which mitigates risk, but the helper is truncated in the provided artifact so the full download/validation flow could not be verified.
Install Mechanism
Instruction-only skill with no install spec and no code files to execute. Lowest install risk — nothing is written to disk by an installer.
Credentials
No environment variables, credentials, or config paths are requested. That is proportionate for a public, no-auth API.
Persistence & Privilege
Skill is not marked always:true and uses the normal agent invocation model. It does not request elevated or persistent platform privileges.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install mailtap
  3. After installation, invoke the skill by name or use /mailtap
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.4
**Security-focused update for the Python helper library.** - Added MIME type whitelisting and file size limits for attachment downloads. - Implemented filename sanitization to prevent path traversal vulnerabilities. - Enhanced download process: now validates attachment metadata before download for improved safety. - Introduced helper functions to filter and list only safe attachments from inbox messages. - Updated documentation to reflect new security best practices and code changes.
v1.0.3
- Bumped version to 1.0.3. - No file changes detected, only fixed tags.
v1.0.2
Version 1.0.2 - Added security guidance about handling attachments, advising agents to treat files as untrusted input, sandbox downloads, and avoid automatic execution. - Cleaned up and reduced SKILL.md tags, now listing only temporary-email.
v1.0.1
- Added OpenAPI specification as openapi.json for improved API documentation and integration. - Expanded SKILL.md with clearer instructions, agent workflow examples, and an enhanced Python helper (including attachment downloading). - Added explicit documentation on how to download email attachments via public S3 URLs. - Included homepage and source/reference URLs for MailTap. - Clarified that the skill does not store or modify any data; all communication is direct with MailTap API.
v1.0.0
MailTap 1.0.0 – Initial Release - Provides access to the MailTap Public API for generating disposable, temporary email addresses (valid for 30 minutes). - Supports three core endpoints: generate new email, get email details, and fetch all inbox messages. - No authentication or API key required; uses simple HTTP GET requests. - Includes example workflows and code snippets for agents to automate email-based verification. - Documents important limitations (expiry, no attachment downloads) and best practices for privacy and automation.
Metadata
Slug mailtap
Version 1.0.4
License
All-time Installs 0
Active Installs 0
Total Versions 5
Frequently Asked Questions

What is Mailtap?

Generate and manage temporary disposable email addresses valid for 30 minutes to receive and retrieve verification emails and messages without authentication. It is an AI Agent Skill for Claude Code / OpenClaw, with 652 downloads so far.

How do I install Mailtap?

Run "/install mailtap" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Mailtap free?

Yes, Mailtap is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Mailtap support?

Mailtap is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Mailtap?

It is built and maintained by Web3 Hungry (@zororaka00); the current version is v1.0.4.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments