resend
Pass
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The
agent-email-inboxsub-skill is specifically designed to facilitate the processing of untrusted email content by AI agents, which creates a surface for indirect prompt injection attacks. - Ingestion points: Incoming
email.receivedwebhook events and theresend.emails.receiving.get()API call used to retrieve full email bodies (documented inagent-email-inbox/SKILL.md). - Boundary markers: The skill documentation recommends several "Security Levels" (Allowlists, Content Filtering, Sandboxing) to isolate untrusted input, though enforcement is dependent on user implementation.
- Capability inventory: The documentation notes that agents may be configured with dangerous capabilities such as
execute,delete, orforwardwhich could be exploited via malicious email instructions. - Sanitization: The skill provides practical guidance and regex examples for stripping HTML content and removing quoted email threads to reduce the attack surface.
- [PROMPT_INJECTION]: A reference implementation for a sender allowlist in
agent-email-inbox/SKILL.mduses substring matching (.includes()), which is susceptible to bypass via specially crafted domains (e.g.,admin@company.com.evil.com). This vulnerability is acknowledged and addressed within the skill's own testing scenarios. - [EXTERNAL_DOWNLOADS]: The skill references the installation of official Resend SDKs from well-known package registries (NPM, PyPI, etc.) and the use of the
svixpackage for webhook verification. These are standard dependencies for the Resend service and are considered safe sources.
Audit Metadata