This skill covers setting up a secure email inbox that allows your application or AI agent to receive and respond to emails, with content safety measures in place.
Confirm successful installation by checking the skill directory location:
.cursor/skills/agent-email-inbox
Restart Cursor to activate agent-email-inbox. Access via /agent-email-inbox in your agent's command palette.
β
Security Notice
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
This skill covers setting up a secure email inbox that allows your application or AI agent to receive and respond to emails, with content safety measures in place.
Core principle: An AI agent's inbox receives untrusted input. Security configuration is important to handle this safely.
Why Webhook-Based Receiving?
Resend uses webhooks for inbound email, meaning your agent is notified instantly when an email arrives. This is valuable for agents because:
Real-time responsiveness β React to emails within seconds, not minutes
No polling overhead β No cron jobs checking "any new mail?" repeatedly
Event-driven architecture β Your agent only wakes up when there's actually something to process
Lower API costs β No wasted calls checking empty inboxes
Architecture
Sender β Email β Resend (MX) β Webhook β Your Server β AI Agent
β
Security Validation
β
Process or Reject
SDK Version Requirements
This skill requires Resend SDK features for webhook verification (webhooks.verify()) and email receiving (emails.receiving.get()). Always install the latest SDK version. If the project already has a Resend SDK installed, check the version and upgrade if needed.
Language
Package
Min Version
Node.js
resend
>= 6.9.2
Python
resend
>= 2.21.0
Go
resend-go/v3
>= 3.1.0
Ruby
resend
>= 1.0.0
PHP
resend/resend-php
>= 1.1.0
Rust
resend-rs
>= 0.20.0
Java
resend-java
>= 4.11.0
.NET
Resend
>= 0.2.1
Install the resend npm package: npm install resend (or the equivalent for your language). For full sending docs, install the resend skill.
Quick Start
Ask the user for their email address β You need a real email address to send test emails to. Ask the user and wait for their response before proceeding.
Choose your security level β Decide how to validate incoming emails before any are processed
Set up receiving domain β Configure MX records for the user's custom domain (see Domain Setup section)
Create webhook endpoint β Handle email.received events with security built in from the start. The webhook endpoint MUST be a POST route.
Set up tunneling (local dev) β Use Tailscale Funnel (recommended) or ngrok. See references/webhook-setup.md
Create webhook via API β Use the Resend Webhook API to register your endpoint programmatically. See references/webhook-setup.md
Connect to agent β Pass validated emails to your AI agent for processing
Before You Start: Account & API Key Setup
First Question: New or Existing Resend Account?
Ask your human:
New account just for the agent? β Simpler setup, full account access is fine
Existing account with other projects? β Use domain-scoped API keys for sandboxing
Creating API Keys Securely
Don't paste API keys in chat! They'll be in conversation history forever.
DNS Propagation: MX record changes can take up to 48 hours to propagate globally, though often complete within a few hours.
Security Levels
Choose your security level before setting up the webhook endpoint. An AI agent that processes emails without security is dangerous β anyone can email instructions that your agent will execute. The webhook code you write next should include your chosen security level from the start.
Ask the user what level of security they want, and ensure that they understand what each level means.
Level
Name
When to Use
Trade-off
1
Strict Allowlist
Most use cases β known, fixed set of senders
Maximum security, limited functionality
2
Domain Allowlist
Organization-wide access from trusted domains
More flexible, anyone at domain can interact
3
Content Filtering
Accept from anyone, filter unsafe patterns
Can receive from anyone, pattern matching not foolproof
4
Sandboxed Processing
Process all emails with restricted agent capabilities
Untrusted input mixed into prompts can alter agent behavior
Give untrusted emails full agent access
Scope capabilities to the minimum needed
Webhook Endpoint
After choosing your security level and setting up your domain, create a webhook endpoint. The webhook endpoint MUST be a POST route. Resend sends all webhook events as POST requests.
Critical: Use raw body for verification. Webhook signature verification requires the raw request body.
Next.js App Router: Use req.text() (not req.json())
Express: Use express.raw({ type: 'application/json' }) on the webhook route
βΊClaude Desktop or compatible AI client with skill support
βΊClear understanding of task or problem to solve
βΊWillingness to iterate and refine outputs
Time Estimate
15-45 minutes depending on use case complexity
Steps
1Install skill using provided installation command
2Test with simple use case relevant to your work
3Evaluate output quality and relevance
4Iterate on prompts to improve results
5Integrate into regular workflow if valuable
Common Pitfalls
β Expecting perfect results without iteration
β Not providing enough context in prompts
β Using skill for tasks outside its intended scope
β Accepting outputs without review and validation
Best Practices
β Do
+Start with clear, specific prompts
+Provide relevant context and constraints
+Review and refine all outputs before using
+Iterate to improve output quality
+Document successful prompt patterns
β Don't
βDon't use without understanding skill limitations
βDon't skip validation of outputs
βDon't share sensitive information in prompts
βDon't expect skill to replace human judgment
π‘ Pro Tips
β Be specific about desired format and style
β Ask for multiple options to choose from
β Request explanations to understand reasoning
β Combine AI efficiency with human expertise
When to Use This
β Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
β Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
Learning Path
1Familiarize yourself with skill capabilities and limitations
2Start with low-risk, non-critical tasks
3Progress to more complex and valuable use cases
4Build expertise through regular use and experimentation
