critical
suspicious.env_credential_access
- Location
- references/resend-inbound.js:6
- Finding
- Environment variable access combined with network send.
resend-email
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.env_credential_access, suspicious.potential_exfiltration
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Concern
ASI01: Agent Goal HijackWhat this means
If the inbound webhook is enabled, someone who can send email to the inbound address may be able to influence Clawdbot's next actions through prompt-injection text in the email.
Why it was flagged
The transform takes the raw received email body and returns it as an agent message, so an external email sender could place instructions in the email content that the downstream agent might over-trust.
Skill content
const body = (content && (content.text || content.html)) || '(No body content)'; ... return { action: 'agent', message };Recommendation
Treat inbound email bodies as untrusted data, quote or label them clearly, restrict accepted senders where possible, and require human approval before the agent takes any external action based on an email.
What this means
The agent can send messages from a verified domain if invoked with recipient, subject, and body values.
Why it was flagged
The script can send outbound email through the user's Resend account. This is the stated purpose, but it is still an externally visible action.
Skill content
curl -s -X POST 'https://api.resend.com/emails' ... -H "Authorization: Bearer $API_KEY" ... -d "$PAYLOAD"
Recommendation
Review recipients, sender address, subject, and body before sending important or public-facing email; consider using a restricted Resend API key.
What this means
Anyone or any agent process able to use this skill with the credential can send email through the configured Resend account.
Why it was flagged
The script reads a local Resend API credential. This is expected for the integration and documented in SKILL.md, but it is not declared in the registry metadata.
Skill content
CREDS_FILE="$HOME/.config/resend/credentials.json" ... API_KEY=$(cat "$CREDS_FILE" ...)
Recommendation
Store the Resend API key securely, rotate it if exposed, and prefer the least-privileged API key/domain configuration available.
What this means
Inbound email metadata and content may be delivered into agent and messaging-channel contexts if the optional webhook is enabled.
Why it was flagged
The optional receiving setup routes Resend webhook events into Clawdbot and a Telegram channel using a query-token webhook URL.
Skill content
action: "agent", deliver: true, channel: "telegram" ... URL: `https://<your-tailnet-host>.ts.net/hooks/resend?token=<shared-secret>`
Recommendation
Use a strong shared secret, avoid logging webhook URLs, limit who can send to the inbound address, and only enable Telegram delivery if that data flow is acceptable.
What this means
If enabled, the local webhook gateway may remain reachable through Tailscale Funnel until the user stops it.
Why it was flagged
The documented webhook setup starts Tailscale Funnel in background mode, which can keep a local service exposed for inbound webhook traffic.
Skill content
/Applications/Tailscale.app/Contents/MacOS/Tailscale funnel --bg 18789
Recommendation
Enable the funnel only when needed, confirm which local service is exposed, and know how to disable the background funnel after use.
Findings (2)
warn
suspicious.potential_exfiltration
- Location
- references/resend-inbound.js:8
- Finding
- Sensitive-looking file read is paired with a network send.