resend-email
v1.0.3Send emails via Resend API from any verified domain. Use when sending emails, notifications, or automated messages. Supports HTML and plain text. Default voi...
⭐ 0· 874·4 current·4 all-time
byVlad Rimsha@vladchatware
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the actual behavior: the send.sh script and the JS transform call the Resend API to send/fetch emails. The skill expects Resend credentials (stored at ~/.config/resend/credentials.json or via RESEND_API_KEY) which is appropriate for this functionality.
Instruction Scope
SKILL.md instructs the agent to read a local credentials file, to call Resend endpoints, and (optionally) to expose a local webhook via Tailscale Funnel and configure a Clawdbot hook. These actions are consistent with the stated purpose but do direct the agent to read a local config path (~/.config/resend/credentials.json) and to open network exposure if you follow the webhook instructions.
Install Mechanism
No install spec (instruction-only with shipped scripts) — nothing is downloaded or extracted. The runtime uses existing tools (bash, curl, python3, node) and therefore has a low install risk.
Credentials
The skill requires a Resend API key and a default from address, which it expects in ~/.config/resend/credentials.json or in RESEND_API_KEY; however the registry metadata lists no required env vars. This is reasonable but a minor mismatch — sensitive credentials are read from a local file or environment, so you should ensure that file/vars are protected. The Clawdbot webhook uses a shared-secret token which must be managed securely.
Persistence & Privilege
The skill does not request permanent/always-on inclusion, does not modify other skills, and does not require elevated platform privileges. Autonomous invocation is allowed by default but that is normal for skills; nothing here amplifies that risk.
Assessment
This skill is internally consistent for sending and receiving email via Resend, but before installing: (1) verify and secure your Resend API key — the scripts read ~/.config/resend/credentials.json (or RESEND_API_KEY) so ensure that file contains only the expected keys and is readable only by you; (2) if you enable the inbound webhook, protect the shared-secret and only expose endpoints via a trusted tunneling service (the README suggests Tailscale Funnel); (3) confirm the default "from" address and verified domains in your Resend account to avoid accidental sending from unauthorized domains; (4) because the skill's source is listed as unknown, review the two included files (send.sh and resend-inbound.js) yourself — they are short and readable and do not contain obfuscated or unexpected network destinations beyond api.resend.com; and (5) consider storing API keys in a secrets manager or environment variable rather than an unencrypted file if you prefer tighter credential controls.Like a lobster shell, security has layers — review code before you run it.
latestvk976kqte9tgmbt2738ftvgjt8x8216kd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.