mercadopago-subscriptions
Pass
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill implements mandatory webhook signature validation using HMAC-SHA256 with the Web Crypto API, ensuring that incoming notifications from MercadoPago are authentic and preventing spoofing attacks.
- [COMMAND_EXECUTION]: Supabase Edge Functions utilize the
SUPABASE_SERVICE_ROLE_KEYto perform administrative database operations. While this grants high privileges (bypassing RLS), it is implemented here for the legitimate purpose of cross-user subscription state management and is handled server-side. - [EXTERNAL_DOWNLOADS]: The skill imports standard dependencies from well-known and trusted registries, specifically using
@mercadopago/sdk-jsfrom NPM for the frontend and@supabase/supabase-jsvia ESM.sh for Deno Edge Functions. - [SAFE]: Sensitive information such as
MP_ACCESS_TOKEN,RESEND_API_KEY, andSUPABASE_SERVICE_ROLE_KEYare managed correctly through environment variables and secrets, with no evidence of hardcoded credentials in the provided code. - [SAFE]: Payment processing follows PCI-DSS principles by using MercadoPago Secure Fields for card tokenization on the frontend, ensuring raw card data never touches the application's servers.
Audit Metadata