The Agent Skills Directory

[EXTERNAL_DOWNLOADS] (HIGH): The scripts/setup-resend-mcp.sh script clones a repository from https://github.com/resend/mcp-send-email.git. This source is not in the predefined trusted list, meaning the agent is downloading arbitrary third-party code.
[REMOTE_CODE_EXECUTION] (HIGH): The setup script automatically runs npm install and npm run build on the contents of the cloned repository. This allows for arbitrary code execution on the host machine during the installation phase.
[COMMAND_EXECUTION] (MEDIUM): The skill relies on running a locally compiled Node.js server via node build/index.js, which provides the core MCP functionality and tools.
[PROMPT_INJECTION] (HIGH):
Evidence (Indirect Prompt Injection): In references/EXAMPLES.md, multiple patterns (Examples 3, 9, 11) demonstrate the agent reading untrusted data sources like customers.csv and subscribers.json to generate and send emails.
Ingestion Points: customers.csv, subscribers.json, email.md.
Capability Inventory: send_email, schedule_email, send_broadcast_email.
Sanitization: No sanitization, validation, or boundary markers (e.g., XML tags or delimiters) are provided or recommended in the instructions to separate data from instructions.
Risk: An attacker could place malicious instructions inside a CSV or JSON file that, when read by the agent, triggers the exfiltration of sensitive local files (e.g., .env, SSH keys) by sending them to an attacker-controlled email address.
[CREDENTIALS_UNSAFE] (MEDIUM): The automated setup script prompts for a RESEND_API_KEY and echoes it back into the terminal session while generating configuration snippets. This exposes the secret to terminal history, shoulder surfing, and potential logging systems.

resend-integration-skills