resend
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
- PROMPT_INJECTION (HIGH): The skill handles untrusted external data from incoming emails and has significant write/execute capabilities, creating a high-risk surface for Indirect Prompt Injection.
- Ingestion points: Email content and attachments are retrieved in
resend-inbound/SKILL.mdusingresend.emails.receiving.getandattachments.list. - Boundary markers: Code examples show direct usage of email text/HTML without delimiters or instructions to ignore embedded commands.
- Capability inventory: The skill can send emails (
resend.emails.send), download files (fetch), and save to storage (saveToStorage), enabling side effects from injected prompts. - Sanitization: No sanitization or content validation is demonstrated in the provided implementation examples.
- DATA_EXFILTRATION (MEDIUM): The forwarding workflow in
resend-inbound/SKILL.mdenables sending received content to arbitrary recipients. An injected prompt could exploit this to leak sensitive internal data via email. - EXTERNAL_DOWNLOADS (LOW): The skill programmatically downloads attachments from dynamic URLs via
fetch. While these are Resend-managed, the pattern allows runtime retrieval of external binary data which could contain malicious payloads if the agent is tricked into processing them.
Recommendations
- AI detected serious security threats
Audit Metadata