sendblue-api
Integrates with Sendblue API to send and receive iMessages, SMS, and RCS messages programmatically, enhancing messaging capabilities.
Install this skill
Security score
The sendblue-api skill was audited on Jun 1, 2026 and we found 20 security issues across 2 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
Curl to non-GitHub URL
| 52 | curl -X POST https://api.sendblue.com/api/send-message \ |
Webhook reference - potential data exfiltration
| 3 | description: "Send and receive iMessage, SMS, and RCS from application code via the Sendblue HTTP API — text, media, group messages, send styles, reactions, typing indicators, status callbacks, and in |
Webhook reference - potential data exfiltration
| 10 | tags: [sendblue, imessage, sms, rcs, messaging, api, webhooks] |
Webhook reference - potential data exfiltration
| 22 | Sendblue is a REST API that sends iMessage (blue bubbles), SMS, and RCS from a provisioned phone number. Everything is plain JSON over HTTPS — no SDK is required. The API covers outbound 1:1 and group |
Webhook reference - potential data exfiltration
| 27 | - Use when receiving inbound messages via webhooks. |
Webhook reference - potential data exfiltration
| 71 | Configure webhook URLs in the dashboard or via `POST /api/account/webhooks`. Sendblue POSTs JSON to your endpoint. Respond with 2xx promptly — non-2xx triggers retries and duplicate deliveries. Event |
Webhook reference - potential data exfiltration
| 89 | | POST | `/api/account/webhooks` | CRUD webhook subscriptions | |
Webhook reference - potential data exfiltration
| 135 | ### Example 4: Inbound webhook payload (`receive`) |
Webhook reference - potential data exfiltration
| 157 | - ✅ **Return 2xx fast from your webhook**, then process async. Non-2xx triggers duplicate deliveries. |
Webhook reference - potential data exfiltration
| 174 | - Treat every outbound send, contact/webhook mutation, read receipt, reaction, or typing indicator as state-changing. Preview the recipient, sender line, content, and callback/webhook changes, then wa |
Webhook reference - potential data exfiltration
| 175 | - Webhook endpoints should be on HTTPS and idempotent — same `message_handle` may arrive more than once. |
Webhook reference - potential data exfiltration
| 185 | - **Media URLs expire in ~30 days.** If you need durable media from inbound webhooks, download and re-host on receipt. |
Webhook reference - potential data exfiltration
| 187 | - **Webhook retries on non-2xx.** Return 200 even when you've decided to ignore the event; otherwise expect duplicate deliveries. |
Webhook reference - potential data exfiltration
| 199 | - Useful undocumented-here features: carousels (`/api/send-carousel`), FaceTime/contact-card sharing, advanced webhook filtering, contacts API beyond basic CRUD — see the docs site. |
External URL reference
| 36 | https://api.sendblue.com |
External URL reference
| 52 | curl -X POST https://api.sendblue.com/api/send-message \ |
External URL reference
| 101 | "media_url": "https://example.com/img.jpg", |
External URL reference
| 103 | "status_callback": "https://yourapp.com/sendblue/status" |
External URL reference
| 141 | "media_url": "https://...", |
External URL reference
| 198 | - Sendblue: <https://sendblue.com> |