Resend CLI
PassAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Resend CLI helper, but it gives the agent access to send emails and manage Resend account resources if you provide credentials.
This skill appears safe to install if you intend to let the agent use the Resend CLI. Before using it, install the official CLI, provide a least-privileged Resend API key, and require explicit confirmation before sending emails, launching broadcasts, deleting resources, or changing API keys/webhooks/domains.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An accidental or overbroad command could send emails to real recipients, launch a broadcast, or delete contacts/domains/segments in the user's Resend account.
The skill documents commands that can immediately send broadcasts and delete Resend account resources. These actions are aligned with the stated email-management purpose, but they are high-impact if run without careful user approval.
resend broadcasts create ... --send --json; resend domains delete <domain-id> --yes --json; resend contacts delete <contact-id> --yes --json
Use this skill only with explicit user confirmation for sends, broadcasts, deletes, scheduled-email changes, API-key changes, and other account mutations. Prefer listing or previewing targets before acting.
If a broad Resend API key is available, the agent may be able to send mail and manage account resources within that key's scope.
The skill requires Resend account credentials and can use a local credential file or API key. That is expected for the Resend CLI, but the agent's authority depends on the key's permissions.
Auth: `resend login` or set `RESEND_API_KEY` env var ... Key priority: `--api-key` flag > `RESEND_API_KEY` env var > `~/.config/resend/credentials.json`.
Use the least-privileged Resend API key possible, preferably the documented domain-scoped `sending_access` key for automation, and avoid exposing full-access keys unless necessary.
Users depend on the external package source for the actual executable behavior.
The skill relies on installing an external CLI through package managers. This is normal for a CLI wrapper, but the registry lists no structured install spec and the npm global install is not pinned in the artifact.
Install: `brew install resend/cli/resend` (recommended) or `npm install -g resend-cli`
Install from the official Resend source, verify the package name/source, and keep the CLI updated through trusted package-manager channels.