payment-integration
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFENO_CODE
Full Analysis
- SAFE (SAFE): The skill is purely instructional and focuses on teaching the agent how to implement secure payment systems. It does not contain any executable code, scripts, or configuration files that could pose a direct risk.
- Indirect Prompt Injection Surface (LOW): The skill references the handling of external webhook data. This introduces a potential attack surface for indirect prompt injection. However, the skill explicitly mandates strong security controls: (1) Ingestion Point: Webhook endpoints. (2) Boundary Markers: Signature verification using official SDKs (HMAC). (3) Capability Inventory: The skill itself has no active capabilities (no-code). (4) Sanitization: Mandatory server-side re-validation of payment status from the provider API. These instructions align with industry best practices for mitigating such risks.
- NO_CODE (SAFE): This skill consists entirely of documentation and guidance, with no accompanying scripts or binaries to analyze for runtime vulnerabilities.
Audit Metadata