React Email Skills
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only React Email skill is coherent and purpose-aligned, with normal package setup and optional email-sending credentials that users should handle carefully.
This skill appears safe to install as documentation and guidance for React Email work. Be careful when following the setup and sending examples: npm/npx commands install code into your project, and provider API keys can send real emails. Confirm recipients and domains before sending anything with Resend, SMTP, or SendGrid.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running these commands installs packages and starts a local development server in the user’s environment.
The skill instructs users to scaffold and install a Node project using npm/npx, including an unpinned latest package. This is normal for the stated React Email development purpose, but it is still a supply-chain step users should recognize.
npx create-email@latest cd react-email-starter npm install npm run dev
Run setup only in a project directory you intend to modify, review the package source if needed, and consider pinning versions for production or regulated environments.
A provider API key can allow emails to be sent from the user’s account or domain, which may affect account reputation, quotas, or billing.
The sending workflow uses provider credentials from environment variables. This is expected for an email-sending integration, and the artifacts do not show hardcoded secrets or credential leakage.
const resend = new Resend(process.env.RESEND_API_KEY);
Use scoped provider keys where possible, store them in environment variables or a secret manager, avoid pasting them into generated source files, and rotate keys if exposed.
If used with real credentials and recipients, the workflow can send actual emails outside the local project.
The skill documents using an email-sending tool or SDK to send outbound messages. This is directly aligned with the skill purpose, but sending email is an external action that should remain user-directed.
Use Resend MCP send-email tool with: // - to: recipient@example.com // - subject: Welcome to Acme // - html: html // - text: text
Confirm the recipient list, sender domain, subject, and content before sending; use verified domains and test recipients before production sends.