hitpay
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- [SAFE] (SAFE): The skill follows security best practices by recommending environment variables (
HITPAY_API_KEY,HITPAY_SALT) rather than hardcoding credentials. - [SAFE] (SAFE): Webhook verification logic uses
crypto.timingSafeEqualandsha256HMAC, which are industry standards for preventing timing attacks and ensuring data integrity. - [EXTERNAL_DOWNLOADS] (SAFE): The skill references the common
qrcodepackage for legitimate client-side QR generation. - [COMMAND_EXECUTION] (SAFE): The utility script
scripts/verify-webhook.shis benign and serves only to output boilerplate code samples for developers.
Audit Metadata