github-webhooks
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- PROMPT_INJECTION (SAFE): No malicious instructions or bypass attempts detected in the instructions or metadata.
- DATA_EXFILTRATION (SAFE): No evidence of credential exposure or unauthorized data transmission; secrets are handled via environment variables.
- REMOTE_CODE_EXECUTION (SAFE): No patterns of downloading and executing arbitrary remote scripts were found.
- COMMAND_EXECUTION (SAFE): No dangerous shell commands or subprocess calls were identified.
- INDIRECT_PROMPT_INJECTION (SAFE): The skill handles untrusted external data (webhooks) but implements strong security measures: 1. Ingestion points: POST
/webhooks/githubin Express, FastAPI, and Next.js implementations. 2. Boundary markers: Mandatory HMAC SHA-256 signature verification using the X-Hub-Signature-256 header. 3. Capability inventory: Handler logic is restricted to console logging; no file-system write, network requests, or code execution capabilities are exposed. 4. Sanitization: Webhook payloads are parsed as JSON only after signature verification.
Audit Metadata