Resend CLI Skill
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill may send real emails, schedule broadcasts, create domains or webhooks, and manage Resend resources if given credentials.
The skill can guide an agent through live Resend account operations, including sending mail and mutating account resources. This matches the stated purpose, but users should recognize the operational impact.
sending/listing/updating/cancelling emails, batch sends, domains and DNS, webhooks and local listeners, inbound receiving, contacts, topics, segments, broadcasts, templates, API keys, profiles
Use it only for Resend tasks you intend to run, prefer test/staging profiles first, and require explicit review before bulk sends, broadcasts, deletes, or account-wide changes.
If the agent has access to a broad Resend API key or production profile, mistakes could affect real customers or account configuration.
The skill needs Resend account credentials or a stored profile for live operations. This is expected for a Resend CLI integration, but it is sensitive account authority.
Live operations require the official `resend` CLI plus a `RESEND_API_KEY` or stored profile.
Use least-privilege Resend API keys, domain-scoped tokens where possible, and explicit `--profile` selection for production versus staging.
Running installer scripts or global package installs affects the local environment and should be done only from trusted sources.
The skill documents user-run installation methods, including remote shell and PowerShell installers. These are common for CLIs and are not auto-executed by the skill, but they rely on trusted installation sources.
`curl -fsSL https://resend.com/install.sh \| bash` ... `npm install -g resend-cli` ... `irm https://resend.com/install.ps1 \| iex`
Prefer official Resend installation channels, review installer commands before running them, and pin or verify CLI versions in CI where practical.
Webhook and inbound email payloads may contain sensitive message or recipient data and can be forwarded to local services during development.
The skill supports webhook and local listener flows that move Resend event payloads through public tunnel URLs and local endpoints. The behavior is disclosed and purpose-aligned, with verification guidance.
starts a local HTTP server on `--port` ... creates a temporary webhook pointing at your public `--url` ... optionally forwards payloads to `--forward-to`
Use temporary tunnels carefully, verify webhook signatures, avoid exposing production payloads to untrusted local services, and stop listeners when finished.