Skip to main content

send-email

Facilitates sending transactional and bulk emails using the Resend API, ensuring best practices for delivery and error handling.

Install this skill

or
41/100

Security score

The send-email skill was audited on May 24, 2026 and we found 15 security issues across 4 threat categories. Review the findings below before installing.

Categories Tested

Security Issues

medium line 117

Template literal with variable interpolation in command context

SourceSKILL.md
117{ idempotencyKey: `welcome-email/${userId}` }
medium line 170

Template literal with variable interpolation in command context

SourceSKILL.md
170{ idempotencyKey: `batch-orders/${batchId}` }
medium line 8

Webhook reference - potential data exfiltration

SourceSKILL.md
8- name: RESEND_WEBHOOK_SECRET
medium line 9

Webhook reference - potential data exfiltration

SourceSKILL.md
9description: Webhook signing secret for verifying delivery event payloads (bounced, delivered, opened). Found in the Resend dashboard under Webhooks.
medium line 236

Webhook reference - potential data exfiltration

SourceSKILL.md
236## Webhooks (Event Notifications)
medium line 238

Webhook reference - potential data exfiltration

SourceSKILL.md
238Track email delivery status in real-time using webhooks. Resend sends HTTP POST requests to your endpoint when events occur.
medium line 247

Webhook reference - potential data exfiltration

SourceSKILL.md
247**CRITICAL: Always verify webhook signatures.** Without verification, attackers can send fake events to your endpoint.
medium line 249

Webhook reference - potential data exfiltration

SourceSKILL.md
249See [references/webhooks.md](references/webhooks.md) for setup, signature verification code, and all event types.
medium line 267

Webhook reference - potential data exfiltration

SourceSKILL.md
267- Correlate webhook events back to your application
medium line 373

Webhook reference - potential data exfiltration

SourceSKILL.md
373**What happens:** Resend won't attempt delivery to suppressed addresses. The `email.suppressed` webhook event fires instead.
medium line 390

Webhook reference - potential data exfiltration

SourceSKILL.md
390| Not verifying webhook signatures | Always verify - attackers can send fake events to your endpoint |
low line 108

Access to .env file

SourceSKILL.md
108const resend = new Resend(process.env.RESEND_API_KEY);
low line 153

Access to .env file

SourceSKILL.md
153const resend = new Resend(process.env.RESEND_API_KEY);
low line 6

External URL reference

SourceSKILL.md
6description: Resend API key for sending emails. Get yours at https://resend.com/api-keys
low line 204

External URL reference

SourceSKILL.md
204| **Links match sending domain** | If sending from `@acme.com`, link to `https://acme.com` - mismatched domains trigger spam filters |
Scanned on May 24, 2026
View Security Dashboard
Installation guide →
Rate this skill
Categorymarketing
UpdatedJune 15, 2026
openclawgithub-copilotcopilotclaude-codecursorwindsurfclineroo-codeampcodexgoosetraeopencodemanusapicross-platformemail-marketergrowth-marketercustomer-success-managermarketingsales
FabioFiorita/tastik