clerk-webhooks
Pass
Audited by Gen Agent Trust Hub on Apr 7, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill references official Clerk documentation and NPM packages (e.g.,
@clerk/nextjs/webhooks). These are vendor-owned resources used for legitimate integration purposes. - [DATA_EXFILTRATION]: The skill requests sensitive credentials (
CLERK_SECRET_KEY,CLERK_WEBHOOK_SECRET) as required inputs. These are standard for server-side authentication and the skill correctly instructs users to store them in environment variables rather than hardcoding them. - [PROMPT_INJECTION]: Indirect Prompt Injection Risk Assessment:
- Ingestion points: Webhook payloads received at the API endpoint (e.g.,
app/api/webhooks/route.ts). - Boundary markers: The skill explicitly instructs the use of
verifyWebhook(req)or Svix verification to validate the authenticity of the incoming data. - Capability inventory: Subprocess calls are not present; however, database writes (Prisma) and external notifications (Slack, Resend) are identified as common downstream actions in the provided examples.
- Sanitization: Signature verification is mandated as the primary security control to ensure data originates from a trusted source (Clerk).
Audit Metadata