ClawHub

Resend CLI Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Resend CLI helper for live email and account operations, but users should treat its commands as real production actions.

Install only if you intend to let an agent help operate a real Resend account. Use a test or staging profile first, prefer scoped API keys and explicit profiles, review every send/delete/update/broadcast/API-key command before execution, avoid pipe-to-shell installs in sensitive CI, and keep message bodies, attachments, webhook payloads, API keys, and signing secrets out of logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
env["RESEND_PROFILE"] = args.profile

    try:
        proc = subprocess.run(
            cmd,
            capture_output=True,
            text=True,
Confidence
90% confidence
Finding
proc = subprocess.run( cmd, capture_output=True, text=True, timeout=args.timeout, cwd=args.cwd, env=env, )

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs agents to perform real Resend sends, updates, cancellations, domain/webhook changes, and API-key-related operations, but it lacks a prominent warning that these are live account mutations with potential billing, deliverability, privacy, and credential consequences. In an agent context, that increases the chance of accidental email sends, unintended production changes, or unsafe handling of sensitive tokens.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The catalog includes commands that can send outbound email, forward inbound email, expose raw message data, emit webhook events, and create local listeners, but it does not prominently require confirmation, data-minimization, or privacy warnings before those operations. In an agent context, that increases the chance of unintended disclosure of message contents, recipient data, attachment URLs, or webhook payloads to external destinations or local logs.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The doctor route includes very broad phrases such as "debug", "broken", "auth", and especially "ci", which are common across many unrelated requests. In a task router for an agent skill, this can cause misrouting into diagnostic flows that collect environment/account state instead of the user’s intended action, increasing the chance of unnecessary exposure of operational details or incorrect command selection.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The single-send route matches generic phrases like "send email", "notification", and "welcome email", which overlap heavily with ordinary email-related requests and other higher-risk/more specific flows. In an automation context, broad matching can steer users into a direct send command with placeholder mutation semantics, creating a risk of unintended outbound actions if the router is used naively by an agent.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The webhook recipe tells users to expose a local listener through a tunnel and forward webhook traffic, but it does not warn that webhook payloads may contain sensitive operational or message metadata that will transit an external tunneling service and reach a locally running endpoint. In an agent/CI-oriented CLI skill, this omission is more dangerous because users may automate the setup quickly and forward real production events without considering data exposure, endpoint hardening, or limiting the test scope.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The inbound mailbox processor recipe instructs users to retrieve received email content and attachments without warning that these artifacts can contain sensitive personal, financial, authentication, or malware-bearing content. In the context of an AI-agent/terminal automation skill, this is riskier because automated flows may fetch, store, summarize, or retransmit inbound content broadly, increasing the chance of unintended disclosure or unsafe handling.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The API key creation example shows generation of a sending credential but omits any warning that the resulting secret must be stored securely, distributed minimally, and rotated if exposed. Because this skill explicitly targets terminal sessions, CI jobs, and agent automation, the risk is elevated: users may paste the credential into logs, shell history, chat transcripts, or insecure CI variables, enabling unauthorized use of the Resend account within the granted scope.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This skill can execute the official CLI directly from an agent workflow without an execution-time warning, which is risky because the CLI can perform external network actions and mutate account resources. In an agent setting, silent execution increases the chance of unintended or policy-bypassing side effects even if the code is not overtly malicious.

External Script Fetching

High
Category
Supply Chain
Content
| Environment | Good install choice |
| --- | --- |
| Generic macOS/Linux shell | `curl -fsSL https://resend.com/install.sh \| bash` |
| Node-heavy dev machine | `npm install -g resend-cli` |
| Homebrew-managed machine | `brew install resend/cli/resend` |
| Windows PowerShell | `irm https://resend.com/install.ps1 \| iex` |
Confidence
98% confidence
Finding
curl -fsSL https://resend.com/install.sh \| bash

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal