resend

[Skill Scanner] Natural language instruction to download and install from URL detected All findings: [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] prompt_injection: Detected attempt to override previous instructions (PI001) [AITech 1.1] [CRITICAL] prompt_injection: Detected system prompt override attempt (PI004) [AITech 1.1] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] prompt_injection: Detected instruction delimiter injection (PI005) [AITech 1.2] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] This skill and its example code are coherent with their stated purpose (securely receiving and processing emails for an AI agent). There is no evidence of malicious behavior or hidden exfiltration. However, I found several security hygiene issues and risky patterns that could lead to accidental misuse or data leakage if developers copy the examples without strengthening them: loose sender matching, simplistic domain parsing, verbatim logging/notifications of email contents, limited rate-limiting implementation, and implicit trust that the agent enforces capability restrictions. These are not indicators of malware but represent moderate security risk if deployed as-is. Recommendations: use strict canonical email parsing, exact matches for allowlists, durable/distributed rate limiting, redaction/summarization before logging or notifying owners, and enforce capability boundaries inside the agent implementation. LLM verification: The skill's code and documentation align with its stated purpose: receive and verify Resend webhooks, fetch full email contents, and forward validated emails to an AI agent. I found no direct indicators of malicious code (no obfuscation, no hidden network exfiltration, no hardcoded secrets). The primary security concern is functional: the critical security validation (processEmailForAgent) is not included — without it, passing raw email content to an agent is dangerous due to prompt-injection ri