replicate-webhooks
Pass
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: LOW
Full Analysis
- [SAFE] (SAFE): The skill follows security best practices for cryptographic verification of webhooks.
- Signature Verification: Uses timing-safe comparison methods (
crypto.timingSafeEqualin Node.js andhmac.compare_digestin Python) to prevent timing attacks. - Replay Protection: Implements a 5-minute validity window for the
webhook-timestampheader to prevent replay attacks. - Raw Body Handling: Correctly instructs users to use
express.raw()or equivalent array buffer methods to ensure the message body is not modified by middleware before verification. - [EXTERNAL_DOWNLOADS] (LOW): The READMEs suggest installing
hookdeck-cliglobally for local testing. While Hookdeck is not on the predefined trusted list, it is the author of this skill and the tool is standard for webhook development. - [COMMAND_EXECUTION] (SAFE): No arbitrary command execution patterns found. All terminal commands provided in the documentation are for standard dependency management and server startup.
- [DATA_EXFILTRATION] (SAFE): No unauthorized network calls or sensitive data exposure detected. The logic is strictly focused on receiving and logging incoming webhook notifications.
Audit Metadata