send-email
Pass
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: LOWEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (LOW): The installation guide (references/installation.md) directs users to install Resend SDKs from public package managers such as npm, pip, and gem. While these are the official packages for the service, they represent external dependencies.
- PROMPT_INJECTION (LOW): The webhook documentation (references/webhooks.md) describes handling untrusted external data, which is a potential surface for indirect prompt injection. 1. Ingestion points: HTTP POST payloads received at a developer-defined endpoint. 2. Boundary markers: The documentation strongly demonstrates the use of cryptographic signature verification (resend.webhooks.verify) as a validation boundary. 3. Capability inventory: The provided code example shows internal application influence such as updating a database client. 4. Sanitization: The documentation requires verifying the svix-signature header against a webhook secret to ensure data authenticity.
Audit Metadata