payment-integration
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- Indirect Prompt Injection (SAFE): The skill processes external JSON payloads in its webhook verification scripts. While this is an ingestion point for untrusted data, the risk is mitigated by mandatory cryptographic signature verification.
- Ingestion points: CLI arguments in scripts/sepay-webhook-verify.js and scripts/polar-webhook-verify.js.
- Boundary markers: None (standalone utility scripts).
- Capability inventory: HMAC verification using the built-in crypto module. Scripts only validate and print transaction details.
- Sanitization: Cryptographic verification of payloads is required before processing.
- External References (SAFE): Documentation refers to official platform SDKs and APIs. These are standard for payment integrations and no automated execution of external code is performed by the skill.
Audit Metadata