Resend
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any process using this configured skill can read inbound email information that the API key is allowed to access.
The skill requires a Resend API key with read access, which is expected for the purpose but grants access to account email data.
Create API key at API Keys → Create API key (needs read permissions) Set environment variable: `export RESEND_API_KEY="re_your_key"`
Use a dedicated least-privilege Resend API key with read-only permissions, store it carefully, and revoke it when no longer needed.
The installed CLI will handle the Resend API key and email data, so the package’s trustworthiness matters.
The skill asks the user to install a global npm CLI package; this is central to the skill, but users should recognize it as an external dependency.
npm install -g @mjrussell/resend-cli
Review the npm package source, publisher, and version before installing, and consider pinning a known-good version.
A malicious email could include instructions that try to influence the agent if the email content is not treated purely as data.
The skill can place inbound email content into the agent’s working context. Email bodies and attachments may contain untrusted text from external senders.
resend email get <id> # Show email details User: "Show me the full content of email X"
Treat email contents and attachments as untrusted; do not follow instructions contained inside emails unless the user explicitly confirms them.