Resend

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Resend inbound-email helper, but it can expose private email content through a Resend API key and a third-party CLI.

Install only if you trust the third-party resend CLI package, use a dedicated read-only Resend API key, and treat fetched email bodies or attachment details as private and untrusted content. Review message summaries before asking an agent to display full email contents.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: This skill is designed to retrieve email bodies and attachment metadata, which can contain highly sensitive personal, business, or authentication-related information. Omitting a user-facing warning reduces informed consent and increases the chance that an agent retrieves private mailbox content in response to vague prompts.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal