lemon-squeezy
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill implements robust webhook security by providing instructions and code for signature verification using
crypto.timingSafeEqualinreferences/webhooks.md. This is a best practice that prevents unauthorized event spoofing and protects against timing attacks. - [SAFE]: Sensitive information such as API keys and webhook secrets are correctly managed through environment variables (e.g.,
LEMONSQUEEZY_API_KEY), as outlined inreferences/setup.md. The documentation explicitly warns against exposing these keys to the client. - [SAFE]: The skill utilizes the official
@lemonsqueezy/lemonsqueezy.jspackage, which is a well-known and trusted library for the service it integrates with. - [SAFE]: No evidence of data exfiltration, obfuscation, unauthorized command execution, or persistence mechanisms was found across any of the analyzed files.
Audit Metadata