payment-integration
Pass
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: SAFE
Full Analysis
- [Data Exposure & Exfiltration] (SAFE): No sensitive data exposure or exfiltration patterns were detected. The skill correctly utilizes placeholders for API keys and secret tokens and instructs users to store credentials in environment variables.
- [Prompt Injection] (SAFE): The skill instructions and documentation do not contain any patterns designed to bypass safety filters, override system prompts, or extract internal agent instructions.
- [Indirect Prompt Injection] (SAFE): The skill describes workflows for processing external data from payment webhooks, which is a common ingestion surface.
- Ingestion points: Webhook endpoints (e.g., in
references/polar/webhooks.md) process external JSON payloads from payment providers. - Boundary markers: The documentation recommends using explicit signature verification to ensure data integrity.
- Capability inventory: Capabilities described include updating database records and granting user benefits based on payment status.
- Sanitization: The skill provides instructions for HMAC-SHA256 signature validation and transaction deduplication to sanitize and verify incoming data.
- [Remote Code Execution] (SAFE): The documentation refers to standard package managers (npm, pip, composer) and official initialization tools (npx). These references are for the developer's environment and do not constitute malicious remote code execution within the skill itself.
- [Obfuscation] (SAFE): No obfuscated content, such as multi-layer Base64, zero-width characters, or homoglyphs, was found in the analyzed files.
Audit Metadata