paddle-webhooks
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- [PROMPT_INJECTION] (SAFE): No instructions found that attempt to override agent behavior, bypass safety filters, or reveal system prompts.
- [CREDENTIALS_UNSAFE] (SAFE): Examples use placeholder strings (e.g., 'pdl_ntfset_your_secret_here') and rely on environment variables for actual secrets.
- [DATA_EXFILTRATION] (SAFE): The skill acts as a receiver for authenticated webhooks. No unauthorized outbound network activity or sensitive local file access was detected.
- [INDIRECT_PROMPT_INJECTION] (LOW):
- Ingestion points: Untrusted data enters the agent's context via the
/webhooks/paddleendpoint inmain.py,index.js, androute.ts. - Boundary markers: Robust HMAC signature verification is implemented across all examples to ensure data integrity and authenticity.
- Capability inventory: The code contains no dangerous capabilities (e.g., subprocess execution,
eval, or file-write operations) that act on the webhook payload. - Sanitization: Standard JSON parsing is used to handle data payloads.
- [EXTERNAL_DOWNLOADS] (SAFE): Dependencies are standard, well-known libraries (FastAPI, Express, Paddle SDK). CLI tools referenced in documentation (Hookdeck) are legitimate developer utilities.
Audit Metadata