resend-webhooks
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- SAFE (SAFE): No security issues detected. The skill provides secure boilerplate for webhook handlers across Express, FastAPI, and Next.js.
- [Category 8: Indirect Prompt Injection] (SAFE): The skill handles untrusted data from webhooks but provides effective defenses.
- Ingestion points: Data enters through the /webhooks/resend endpoint in all examples.
- Boundary markers: Signature verification using svix-signature headers is implemented and emphasized as critical in the code and documentation.
- Capability inventory: Handlers only perform logging of event metadata; no dangerous operations like shell execution, dynamic code execution, or file writes are performed on ingested data.
- Sanitization: Uses timing-safe comparison methods (timingSafeEqual in Node.js and compare_digest in Python) and includes a 5-minute timestamp tolerance check to prevent replay attacks.
Audit Metadata