shipment-tracking
Pass
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill correctly uses environment variables (
process.env.EASYPOST_API_KEY,process.env.EASYPOST_WEBHOOK_SECRET) to manage sensitive credentials, which follows industry standards for preventing hardcoded secret exposure. - [SAFE]: The webhook handler implementation in the 'Custom / Headless' section incorporates HMAC SHA-256 signature verification. This ensures that only authentic requests from the carrier aggregator are processed, mitigating risk of data injection from unauthorized sources.
- [SAFE]: All network communications are directed to the official EasyPost API (
api.easypost.com) and well-known carrier domains (UPS, FedEx, USPS), which are legitimate and necessary for the skill's stated purpose. - [SAFE]: The data ingestion surface (webhooks) is properly secured with signature validation, and the subsequent actions, such as database updates and email notifications, are routine operations for shipping workflows.
Audit Metadata