ClawAudit verdict

resend

resend-skills

88
🟢 Trusted
Low risk — reviewed by ClawAudit, behavior matches stated purpose

Official Resend SDK skill for transactional email, webhooks, and contact management using a user-supplied RESEND_API_KEY; all operations are standard email platform API calls matching the declared purpose.

⚠ Flagged for review — coarse, uncorroborated signal, not a confirmed exploit. Review the config yourself before installing.

Automated static analysis — not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.

0
security
70
transparency
70
maintenance

Findings (8)

Pattern match critical

Possible hardcoded credential

references/api-keys.md · code · api_key = "re_xxxxxxxxx

Pattern match high

Pipe to python — executes piped content as Python code

SKILL.md · prose · downgraded · | Python

Pattern match high

Dynamic import() — loads module at runtime

references/sending/best-practices.md · code · import ( "

Pattern match high

References sudo — requests elevated privileges

references/webhooks.md · code · sudo

Confirmed in code medium

Accesses process.env — reads environment variables

SKILL.md · code

Pattern match medium

Accesses sensitive environment variables

SKILL.md · code · process.env.RESEND_API_KEY

Pattern match medium

References tunneling service

references/receiving.md · code · ngrok

Pattern match medium

Instructs covert action — may act without user awareness

references/sending/overview.md · prose · downgraded · silently

Permissions & capabilities

Requires 1 environment variable. (1 sensitive: RESEND_API_KEY).

credential_accessnetwork_in

Is this flag fair?

Check another skill Browse the registry Auditing your own skills or configs? Use the API