pos-integration
Pass
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: No security issues detected across the analyzed files.
- [PROMPT_INJECTION]: Analyzed the skill's surface for indirect prompt injection via external data ingestion.
- Ingestion points: The webhook endpoint defined in
SKILL.md(POST /api/webhooks/square) processes JSON data from Square's platform. - Boundary markers: The implementation includes robust HMAC-SHA256 signature verification using
SQUARE_WEBHOOK_SECRETto ensure only authentic Square requests are processed. - Capability inventory: The skill performs database updates (
db.variants,db.inventory) and Redis cache updates. It does not contain any capabilities for command execution, file-system writes, or network requests based on untrusted input. - Sanitization: Use of signature verification effectively sanitizes the data source. Numeric data is parsed using
parseIntbefore usage.
Audit Metadata