Resend Send Native Node
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a coherent Resend email-sending helper with disclosed API-key use, dry-run defaults, and recipient allowlist controls for real sends.
Use this only for emails you intend to send through Resend. Set a least-privilege RESEND_API_KEY, configure RESEND_ALLOWED_TO to only approved recipients, dry-run first, and approve the exact content before using --send.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used incorrectly, the agent could send an email the user did not intend, but the documented workflow requires review and approval first.
The skill can cause a real outbound email, which is an external action. The artifact discloses this and instructs agents to require explicit approval.
This skill is send-only, but it is still externally mutating. ... Use `--send` only after the user explicitly approves that exact recipient, subject, and body.
Use the dry-run output first, approve the exact recipient, subject, and body, and only then allow --send.
Anyone or any agent process with access to the Resend API key and allowed recipients could send mail through that Resend account.
The script uses a Resend API key from the process environment to authorize email sends. This is expected for the stated purpose, but it is still delegated account authority.
const key = (process.env.RESEND_API_KEY || "").trim(); ... Authorization: `Bearer ${apiKey}`Use a least-privilege Resend key, keep it out of shared environments, set RESEND_ALLOWED_TO narrowly, and rotate the key if exposed.
Users have less external provenance information for the package owner or project history.
The registry metadata does not provide an upstream source or homepage. The included script has no dependencies and is directly reviewable, so this is a provenance note rather than a behavior concern.
Source: unknown; Homepage: none
Review the included script before use and prefer installing from trusted owners or packages with clear source provenance when available.