cursor-webhooks
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- [SAFE] (SAFE): The skill implementation of webhook signature verification is robust, utilizing cryptographic best practices such as timing-safe comparisons (crypto.timingSafeEqual in Node.js and hmac.compare_digest in Python) to prevent timing attacks.
- [CREDENTIALS_UNSAFE] (SAFE): Sensitive information, specifically the webhook signing secret, is managed through environment variables (CURSOR_WEBHOOK_SECRET). No hardcoded credentials or private keys were found in the source code or example files.
- [DATA_EXFILTRATION] (SAFE): The code only processes incoming data from the webhook source. It does not perform any outbound network requests to untrusted domains, nor does it access sensitive local file paths (e.g., SSH keys or AWS credentials).
- [COMMAND_EXECUTION] (SAFE): No instances of unsafe command execution, such as eval(), exec(), or subprocess.run() with unvalidated input, were detected.
- [PROMPT_INJECTION] (SAFE): The documentation and code do not contain instructions aimed at overriding agent behavior or bypassing safety filters.
Audit Metadata