resend-email
MaliciousAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: resend-email Version: 1.0.3 The OpenClaw skill bundle is designed to send and receive emails via the Resend API. It accesses API keys from `~/.config/resend/credentials.json` for legitimate interaction with `api.resend.com`, which is necessary for its stated purpose. The `scripts/send.sh` uses a Python script to safely construct JSON payloads, mitigating shell injection risks. The `SKILL.md` and `references/voice-bureaucrat.md` files contain instructions for the AI agent, but these are purely functional and stylistic (e.g., email tone) and do not instruct the agent to perform any malicious actions, exfiltrate data, or ignore user commands. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or harmful prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the inbound webhook is enabled, someone who can send email to the inbound address may be able to influence Clawdbot's next actions through prompt-injection text in the email.
The transform takes the raw received email body and returns it as an agent message, so an external email sender could place instructions in the email content that the downstream agent might over-trust.
const body = (content && (content.text || content.html)) || '(No body content)'; ... return { action: 'agent', message };Treat inbound email bodies as untrusted data, quote or label them clearly, restrict accepted senders where possible, and require human approval before the agent takes any external action based on an email.
The agent can send messages from a verified domain if invoked with recipient, subject, and body values.
The script can send outbound email through the user's Resend account. This is the stated purpose, but it is still an externally visible action.
curl -s -X POST 'https://api.resend.com/emails' ... -H "Authorization: Bearer $API_KEY" ... -d "$PAYLOAD"
Review recipients, sender address, subject, and body before sending important or public-facing email; consider using a restricted Resend API key.
Anyone or any agent process able to use this skill with the credential can send email through the configured Resend account.
The script reads a local Resend API credential. This is expected for the integration and documented in SKILL.md, but it is not declared in the registry metadata.
CREDS_FILE="$HOME/.config/resend/credentials.json" ... API_KEY=$(cat "$CREDS_FILE" ...)
Store the Resend API key securely, rotate it if exposed, and prefer the least-privileged API key/domain configuration available.
Inbound email metadata and content may be delivered into agent and messaging-channel contexts if the optional webhook is enabled.
The optional receiving setup routes Resend webhook events into Clawdbot and a Telegram channel using a query-token webhook URL.
action: "agent", deliver: true, channel: "telegram" ... URL: `https://<your-tailnet-host>.ts.net/hooks/resend?token=<shared-secret>`
Use a strong shared secret, avoid logging webhook URLs, limit who can send to the inbound address, and only enable Telegram delivery if that data flow is acceptable.
If enabled, the local webhook gateway may remain reachable through Tailscale Funnel until the user stops it.
The documented webhook setup starts Tailscale Funnel in background mode, which can keep a local service exposed for inbound webhook traffic.
/Applications/Tailscale.app/Contents/MacOS/Tailscale funnel --bg 18789
Enable the funnel only when needed, confirm which local service is exposed, and know how to disable the background funnel after use.