ghostonbutterbread/temporary-email
skills/temporary-email/SKILL.md
Create and read disposable Mail.tm inboxes for owned test account setup.
testing
Updated May 28, 2026
$ install --global
skillsauthnpx skillsauth add ghostonbutterbread/bug-bounty-harness temporary-emailInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 28, 2026, 2:35 AM395.2s1 file scanned
SKILL.md
- name:
- temporary-email
- description:
- Create and read disposable Mail.tm inboxes for owned test account setup.
Temporary Email
Use when Codex or Claude needs a disposable inbox for an owned target account.
This skill only manages temporary inboxes and verification mail. It does not manage Ghost's Gmail and it does not create durable researcher accounts.
Temporary inboxes and target accounts must carry an explicit destructible status. Default is destructible: no.
Commands
Create a mailbox:
agent-email create
Read latest messages:
agent-email read <email|alias> --limit 10
agent-email read <email|alias> --wait 60 --interval 3
Show one message:
agent-email show <email|alias> <messageId>
List known temporary inboxes:
agent-email accounts list
agent-email config path
Rules
- Confirm disposable email is not explicitly prohibited for the target workflow.
- Use temporary inboxes when Ryushe asks for a temporary account or when a workflow needs an account that may be burned.
- If the target blocks or rejects the temporary email domain, stop and tell Ryushe the domain was blocked. Wait for Ryushe to provide an email address; do not try alternate disposable providers or bypass the block.
- Read only owned temporary inboxes created for testing.
- Store resulting target-account credentials in Bitwarden when an account is created.
- Record only the account alias, email reference, target, purpose, destructible status, and Bitwarden item reference in notes.
- Mark
destructible: yesonly when the inbox/account is explicitly intended for mutation, deletion, burn, or destructive-flow testing. - Program-domain emails default to
destructible: nounless the stored email metadata clearly marks them destructible. A plus-addressed test identity such as[email protected]may be marked destructible when that is its recorded purpose. - Do not paste mailbox passwords, target passwords, tokens, cookies, reset links, verification links, codes, or private message bodies into chat, prompts, findings, or reports.
Account Note Format
When creating or recording an inbox/account, include:
Account alias:
Email reference:
Target/program:
Purpose:
Destructible: yes|no
Destructible reason:
Credential store item:
Cleanup notes:
If destructible status is missing, treat the account as destructible: no.
Stop Conditions
Stop and ask Ryushe if the target blocks the generated temporary email domain, requires phone/KYC, payment, SSO, a pre-approved account, explicitly bans disposable email, or the requested test needs a destructible account but none is marked destructible: yes.
Related Skills
ghostonbutterbread/stored-xss
documentation
VerifiedTrustedCommunity
Use when attacker-controlled input is saved and rendered later in a profile, comment, title, notification, admin view, export, email, feed, upload metadata, or other stored render surface.
SKILL.mdUpdated Jun 6, 2026
ghostonbutterbread/reflected-xss
content-media
VerifiedTrustedCommunity
Use when attacker-controlled input appears in the immediate HTTP response or browser-rendered page and needs reflected XSS context classification, payload selection, mutation, and browser verification.
SKILL.mdUpdated Jun 6, 2026
ghostonbutterbread/pwnfox
data-ai
VerifiedTrustedCommunity
Use when inspecting proxy traffic from PwnFox-profiled browser sessions, filtering Caido/Burp/proxy history by X-PwnFox-Color, or interpreting user phrases like 'Red session' as a distinct browser/auth/profile lane.
SKILL.mdUpdated Jun 6, 2026
ghostonbutterbread/skills/lfi
tools
VerifiedTrustedCommunity
# LFI — Local File Inclusion Bypass ## What It Does Tests LFI bypass techniques: path traversal, null bytes, wrappers, log poisoning. Load `general-security-testing-policy`, `live-testing-policy`, and `injection-testing-policy` before live testing. For file/path sinks, absence of an immediate file read or response delta is not a stop reason by itself; use the policy to reason about path normalization, extension allowlists, wrappers, encoding, parser differences, and stack-specific proof ladder
SKILL.mdUpdated Jun 6, 2026