convex-http
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: LOW
Full Analysis
- General Security (SAFE): The provided templates for webhooks and API endpoints follow standard secure development patterns.
- Credential Safety (SAFE): The skill correctly uses environment variables (e.g.,
process.env.STRIPE_SECRET_KEY) to manage secrets rather than hardcoding credentials. - Webhook Integrity (SAFE): The Stripe webhook example correctly implements signature verification using
stripe.webhooks.constructEvent, preventing unauthorized event injection. - Authentication (SAFE): Code patterns demonstrate how to implement API key validation and protect sensitive routes.
- CORS Configuration (LOW): The CORS example uses
Access-Control-Allow-Origin: '*'. While acceptable for documentation simplicity or public APIs, it is a permissive policy that developers should restrict in production environments. - Indirect Prompt Injection (LOW): While the skill describes how to ingest external data via HTTP requests (an inherent attack surface), it provides defensive patterns such as signature verification and structured input validation to mitigate risk.
Audit Metadata