The Agent Skills Directory

Prompt Injection (SAFE): No instructions attempting to override agent behavior or bypass safety filters were found in the skill files or documentation.
Data Exposure & Exfiltration (SAFE): The skill utilizes environment variables for credentials and provides clear templates. No exfiltration patterns or suspicious network calls were identified.
Obfuscation (SAFE): There is no hidden or obfuscated code. Standard Base64 decoding for webhook secrets is used correctly for its intended purpose.
Unverifiable Dependencies & Remote Code Execution (SAFE): The skill does not execute remote code or install unverified packages. Documented SDKs are standard for the platforms described.
Indirect Prompt Injection (LOW): The skill provides surface area for processing untrusted webhook data via CLI scripts.
Ingestion points: Webhook payload JSON passed to sepay-webhook-verify.js and polar-webhook-verify.js via command line.
Boundary markers: Absent, however, scripts are designed for manual developer use rather than autonomous agent pipelines.
Capability inventory: No network operations or subprocess execution exists within the processing scripts.
Sanitization: Both verification scripts perform strict structural and data type validation on input payloads before processing.
Dynamic Execution (SAFE): Helpers generate static templates for HTML forms and cURL commands based on provided configuration, posing no runtime execution risk.

payment-integration