webhook-architecture
Pass
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill provides industry-standard secure implementation patterns for webhooks, including HMAC verification with timing-safe equality and idempotency checks to prevent common vulnerabilities like duplicate fulfillment or replay attacks.
- [PROMPT_INJECTION]: Indirect Prompt Injection Risk (Low).
- Ingestion points: The skill is designed to handle external webhook payloads from third-party platforms (e.g., Shopify, Stripe) in
app/api/webhooks/shopify/route.ts. - Boundary markers: Cryptographic signature verification (HMAC) is implemented as a mandatory gate before payload processing.
- Capability inventory: The skill implementation includes database writes for idempotency and status tracking, as well as asynchronous execution of business logic based on event types.
- Sanitization: The skill emphasizes validating the raw request body against signatures to ensure data authenticity and integrity before it enters the application context.
Audit Metadata