resend-api
Pass
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill metadata contains deceptive information regarding its origin. Specifically, the
SKILL.mdfile identifies the author as "OpenAI", which is inconsistent with the actual author attribution for this skill. - [PROMPT_INJECTION]: The skill possesses an indirect prompt injection attack surface because it is designed to ingest and process untrusted external data in the form of incoming email content.
- Ingestion points: Incoming email content is retrieved via the Resend Receiving Emails API using the
GET /emails/receiving/{email_id}endpoint, as documented inreferences/webhooks-inbound-and-beta.md. - Boundary markers: The instructions do not specify any delimiters or safety warnings to prevent the agent from following instructions that may be embedded within the content of received emails.
- Capability inventory: The bundled script
scripts/resend_api.pygrants the agent the ability to make network requests to the Resend API and write data to local files via the--outputand--binary-outputflags. - Sanitization: There are no mechanisms described or implemented to sanitize, filter, or validate the content of processed emails before they are placed into the agent's context.
- [DATA_EXFILTRATION]: The helper script
scripts/resend_api.pyperforms network operations toapi.resend.com, which is a non-whitelisted domain. While essential for the skill's intended purpose, the script allows for the redirection of API calls to arbitrary URLs via theRESEND_BASE_URLenvironment variable, representing a low-level data exfiltration risk if the environment is compromised.
Audit Metadata