The Agent Skills Directory

[Indirect Prompt Injection] (SAFE): The skill defines ingestion points for external webhook data, but the security risks are mitigated by robust verification patterns.
Ingestion points: Webhook endpoints POST /webhooks/vercel are defined in examples/fastapi/main.py, examples/express/src/index.js, and examples/nextjs/app/webhooks/vercel/route.ts.
Boundary markers: The skill provides comprehensive implementation of HMAC-SHA1 signature verification using timing-safe comparisons (hmac.compare_digest in Python and crypto.timingSafeEqual in Node.js).
Capability inventory: The examples demonstrate logging and event-based routing; they do not perform high-risk operations like executing shell commands or writing to sensitive files based on the payload.
Sanitization: Payloads are parsed into structured JSON objects after verification, and the examples access specific fields rather than passing raw strings into sensitive sinks.
[Unverifiable Dependencies] (SAFE): The project suggests standard dependencies from official registries (PyPI and npm). While TODO.md notes an incorrect version for next in the Next.js example, this appears to be a documentation error rather than a malicious package attempt.
[Credentials Unsafe] (SAFE): Environment variable examples use placeholders. Test suites use clearly identified test secrets which do not pose a risk to production systems.

vercel-webhooks