event-gateway
Pass
Audited by Gen Agent Trust Hub on Apr 29, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [SAFE]: The skill provides secure implementation examples for webhook handlers across multiple frameworks (Express, Next.js, FastAPI).
- [SAFE]: Signature verification logic correctly implements HMAC-SHA256 with timing-safe comparisons to prevent timing attacks.
- [EXTERNAL_DOWNLOADS]: The skill fetches configuration and documentation from official vendor resources, including
hookdeck.comand GitHub repositories under thehookdeckorganization. - [COMMAND_EXECUTION]: Provides standard operational commands for the
hookdeckCLI, such as installation vianpmorbrewand local tunneling viahookdeck listen. - [REMOTE_CODE_EXECUTION]: Includes instructions to extend functionality using the
npx skillstool to install provider-specific skills from the vendor's official GitHub repository. - [INDIRECT_PROMPT_INJECTION]: The skill is designed to handle external webhook data but implements robust security boundaries.
- Ingestion points: Webhook routes defined in
examples/express/src/index.js,examples/fastapi/main.py, andexamples/nextjs/app/webhooks/route.ts. - Boundary markers: Mandatory signature verification using the
x-hookdeck-signatureheader is required for all data processing. - Capability inventory: No dangerous operations (such as
eval,exec, or unauthorized file writes) are performed on the payload in the provided examples. - Sanitization: Payloads are parsed using standard JSON libraries after authentication is confirmed; further validation via provider SDKs is recommended.
Audit Metadata