send-email
Facilitates sending transactional and bulk emails using the Resend API, ensuring best practices for production email delivery.
Install this skill
Security score
The send-email skill was audited on May 27, 2026 and we found 12 security issues across 4 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 110 | { idempotencyKey: `welcome-email/${userId}` } |
Template literal with variable interpolation in command context
| 163 | { idempotencyKey: `batch-orders/${batchId}` } |
Webhook reference - potential data exfiltration
| 229 | ## Webhooks (Event Notifications) |
Webhook reference - potential data exfiltration
| 231 | Track email delivery status in real-time using webhooks. Resend sends HTTP POST requests to your endpoint when events occur. |
Webhook reference - potential data exfiltration
| 240 | **CRITICAL: Always verify webhook signatures.** Without verification, attackers can send fake events to your endpoint. |
Webhook reference - potential data exfiltration
| 242 | See [references/webhooks.md](references/webhooks.md) for setup, signature verification code, and all event types. |
Webhook reference - potential data exfiltration
| 260 | - Correlate webhook events back to your application |
Webhook reference - potential data exfiltration
| 366 | **What happens:** Resend won't attempt delivery to suppressed addresses. The `email.suppressed` webhook event fires instead. |
Webhook reference - potential data exfiltration
| 383 | | Not verifying webhook signatures | Always verify - attackers can send fake events to your endpoint | |
Access to .env file
| 101 | const resend = new Resend(process.env.RESEND_API_KEY); |
Access to .env file
| 146 | const resend = new Resend(process.env.RESEND_API_KEY); |
External URL reference
| 197 | | **Links match sending domain** | If sending from `@acme.com`, link to `https://acme.com` - mismatched domains trigger spam filters | |