安全扫描
OpenClaw
可疑
medium confidenceThe skill's behavior and required secrets line up with a Resend email integration, but there are metadata and packaging inconsistencies (missing declared env vars and no install spec) that warrant caution before trusting/installing it.
评估建议
This package appears to be a documentation-heavy Resend integration and legitimately needs your RESEND_API_KEY (and optionally the webhook signing secret). Before installing: 1) verify the skill's source (the registry metadata lists 'unknown' but the SKILL.md references resend.com and a GitHub repo) — prefer skills published by the official vendor; 2) confirm your platform will provide the Node SDK or add an explicit install step (npm install resend) — right now there's no install spec; 3) treat...详细分析 ▾
ℹ 用途与能力
Name, description, and included docs/code consistently implement Resend API functionality (sending, webhooks, templates, logs, etc.). The SKILL.md declares RESEND_API_KEY (required) and RESEND_WEBHOOK_SECRET (optional) which are appropriate for this purpose. However, the registry-level metadata claims no required env vars / no homepage / unknown source while the embedded SKILL.md and file manifest reference an upstream source and require credentials — this mismatch is an incoherence.
✓ 指令范围
SKILL.md instructions and examples stay within Resend API scope (send emails, verify webhooks, manage templates, etc.). The instructions reference only RESEND_API_KEY and RESEND_WEBHOOK_SECRET and standard SDK calls; there are no instructions to read unrelated system files or exfiltrate arbitrary data. Examples do print tokens/secrets to console in docs (e.g., showing created API key or signing_secret), which is a potential accidental-leak risk if users copy example code into production without securing logs.
⚠ 安装机制
There is no install spec even though code examples (and fetch-all-templates.mjs) require the 'resend' npm package (comment: 'Requires: npm install resend'). The skill will likely need the Resend SDK at runtime but does not declare installation steps; absence of an install spec means the agent/platform needs to provide the SDK or the examples will fail. This mismatch is a packaging/operational risk (not inherently malicious) and should be clarified.
⚠ 凭证需求
The SKILL.md rightly requires RESEND_API_KEY (and optionally RESEND_WEBHOOK_SECRET) which are proportional to the stated capabilities. The problem: the registry metadata listed no required env vars/primary credential — a discrepancy that could lead users to install the skill without realizing it needs sensitive credentials. Also some example snippets show printing tokens/signing secrets to stdout; copying those examples verbatim could leak secrets to logs.
✓ 持久化与权限
The skill is not marked always:true and does not request system config paths or modify other skills. Autonomous invocation is allowed (platform default) but not combined with other high-risk privileges here.
⚠ references/fetch-all-templates.mjs:4
Environment variable access combined with network send.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv2.7.02026/3/4
● 无害
安装命令 点击复制
官方npx clawhub@latest install resend-skills
镜像加速npx clawhub@latest install resend-skills --registry https://cn.clawhub-mirror.com
技能文档
Overview
Resend is an email platform for developers. This skill routes to feature-specific sub-skills.
Sub-Skills
| Feature | Skill | Use When |
|---|---|---|
| Sending emails | send-email | Transactional emails, notifications, batch sends |
| Receiving emails | resend-inbound | Processing inbound emails, webhooks for received mail, attachments |
| AI Agent inbox | agent-email-inbox | Setting up email for AI agents, or any system where untrusted email content triggers actions — includes input validation and content safety measures |
| Email templates | templates | Creating, updating, publishing, and managing reusable email templates via API |
Quick Routing
需要 到 manage templates (创建/更新/发布/删除)? 使用 templates skill
- 满 模板 lifecycle management 通过 API
- 变量 syntax, constraints, reserved names
- Draft vs published state, version history
需要 到 发送 emails? 使用 发送-email skill
- Single 或 batch transactional emails
- Attachments, scheduling, templates
- Delivery webhooks (bounced, delivered, opened)
需要 到 接收 emails? 使用 resend-inbound skill
- 设置 up inbound domain (MX records)
- 处理中
email.receivedwebhooks - Retrieving email content 和 attachments
- Forwarding received emails
设置 up AI agent inbox? 使用 agent-email-inbox skill
- Configuring email 对于 Moltbot/Clawdbot 或 similar AI agents
- Webhook setup 带有 ngrok/tunneling 对于 local development
- Security levels 对于 safe handling 的 untrusted 输入框
- Trusted sender allowlists 和 content filtering
Automated system processes untrusted email content 和 takes actions? 使用 agent-email-inbox skill
- 甚至 没有 AI/LLM involvement, 任何 system interprets freeform email content 从 external senders 和 triggers actions (refunds, 数据库 changes, forwarding) needs 输入框 validation. Untrusted 输入框 triggering actions requires careful handling.
Sending + receiving together? 您 需要 both resend-inbound 和 发送-email
- Auto-replies, email forwarding, 或 任何 接收-然后-发送 workflow requires both skills
- 设置 up inbound 第一个, 然后 sending
- Note: batch sending 做 不 support attachments 或 scheduling — 使用 single sends 当...时 forwarding 带有 attachments
Marketing emails 或 newsletters? 使用 Resend Broadcasts
- sub-skills 上面 对于 transactional email. Marketing campaigns 到 large subscriber lists 带有 退订 links 和 engagement tracking 应该 使用 Resend Broadcasts, 不 batch sending.
Common Setup
API 键
Store in environment variable:
export RESEND_API_KEY=re_xxxxxxxxx
SDK Installation
See send-email skill for installation instructions across all supported languages.
Resources
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制