Resend Expert

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] hardcoded_secrets: Hardcoded API key detected (HS001) [AITech 8.2] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] No direct malicious code patterns (obfuscation, remote backdoor, eval-based code injection) were found. However, this skill/documentation contains a hard-coded API key and explicit verified sender/domain info. That is a significant security/privacy problem: if the key is valid it enables abuse (sending arbitrary emails, managing resources). The network endpoints used are official (api.resend.com), so there is no evidence of third-party interception, but the embedded credential and permissive allowed-tools increase the risk of misuse. Recommend removing or rotating the hard-coded key, treating the key as compromised, and avoiding publishing verified-sender claims in public examples. LLM verification: This file is documentation for the Resend API and SDKs and not executable malware. The primary, high-impact security issue is a cleartext hardcoded API key present in examples — if valid, it grants authenticated access to the Resend service and can be abused to send spam/phishing, manipulate contacts/domains, or create webhooks. Secondary issues: unpinned dependency installs and missing guidance on key scoping/rotation. Action: redact/remove the inline key, require use of environment variables f