resend-inbound
Facilitates email processing with Resend, enabling inbound domain setup, webhook handling, and content retrieval.
Install this skill
Security score
The resend-inbound skill was audited on May 24, 2026 and we found 29 security issues across 4 threat categories, including 1 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 233 | subject: `Fwd: ${email.subject}`, |
Webhook reference - potential data exfiltration
| 3 | description: Use when receiving emails with Resend - setting up inbound domains, processing email.received webhooks, retrieving email content/attachments, or forwarding received emails. |
Webhook reference - potential data exfiltration
| 8 | - name: RESEND_WEBHOOK_SECRET |
Webhook reference - potential data exfiltration
| 9 | description: Webhook signing secret for verifying inbound email event payloads. Found in the Resend dashboard under Webhooks. |
Webhook reference - potential data exfiltration
| 17 | Resend processes incoming emails for your domain and sends webhook events to your endpoint. **Webhooks contain metadata only** - you must call separate APIs to retrieve email body and attachments. |
Webhook reference - potential data exfiltration
| 21 | This skill requires Resend SDK features for webhook verification (`webhooks.verify()`) and email receiving (`emails.receiving.get()`). Always install the latest SDK version. If the project already has |
Webhook reference - potential data exfiltration
| 39 | 2. **Set up webhook** - Subscribe to `email.received` event |
Webhook reference - potential data exfiltration
| 79 | ## Webhook Setup |
Webhook reference - potential data exfiltration
| 83 | Dashboard → Webhooks → Add Webhook → Select `email.received` |
Webhook reference - potential data exfiltration
| 88 | # Use https://abc123.ngrok.io/api/webhook as endpoint |
Webhook reference - potential data exfiltration
| 91 | ### Webhook Payload Structure |
Webhook reference - potential data exfiltration
| 117 | ### Verify Webhook Signatures |
Webhook reference - potential data exfiltration
| 129 | const event = resend.webhooks.verify({ |
Webhook reference - potential data exfiltration
| 136 | secret: process.env.RESEND_WEBHOOK_SECRET, |
Webhook reference - potential data exfiltration
| 149 | Webhooks exclude email body and headers. Call the Receiving API to get them: |
Webhook reference - potential data exfiltration
| 204 | const event = resend.webhooks.verify({ /* ... */ }); |
Webhook reference - potential data exfiltration
| 246 | All emails to your domain arrive at the same webhook. Route based on the `to` field: |
Webhook reference - potential data exfiltration
| 266 | | Expecting body in webhook payload | Webhook has metadata only - call `resend.emails.receiving.get()` for body | |
Webhook reference - potential data exfiltration
| 270 | | Not verifying webhook signatures | Always verify - attackers can send fake events | |
Webhook reference - potential data exfiltration
| 276 | - Webhook isn't configured yet |
Webhook reference - potential data exfiltration
| 277 | - Webhook endpoint is down |
Ngrok tunnel reference
| 85 | For local development, use tunneling (ngrok, VS Code Port Forwarding): |
Ngrok tunnel reference
| 87 | ngrok http 3000 |
Ngrok tunnel reference
| 88 | # Use https://abc123.ngrok.io/api/webhook as endpoint |
Access to .env file
| 124 | const resend = new Resend(process.env.RESEND_API_KEY); |
Access to .env file
| 136 | secret: process.env.RESEND_WEBHOOK_SECRET, |
Access to .env file
| 200 | const resend = new Resend(process.env.RESEND_API_KEY); |
External URL reference
| 6 | description: Resend API key for retrieving email content and attachments. Get yours at https://resend.com/api-keys |
External URL reference
| 88 | # Use https://abc123.ngrok.io/api/webhook as endpoint |