clerk-webhooks
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- SAFE (SAFE): The skill consists entirely of Markdown documentation and configuration metadata. It contains no scripts, binaries, or automated tools.
- Indirect Prompt Injection (LOW): The skill describes an interface for receiving and processing external webhook data. 1. Ingestion points: Publicly accessible API routes at app/api/webhooks/route.ts (SKILL.md). 2. Boundary markers: The documentation explicitly mandates the use of verifyWebhook(req) to validate the source and integrity of incoming payloads (SKILL.md). 3. Capability inventory: Metadata defines the WebFetch tool as allowed, but no scripts are provided to utilize it (SKILL.md). 4. Sanitization: Verification via the official @clerk/nextjs library is the primary security control described (SKILL.md).
Audit Metadata