alchemy-webhooks-events
Pass
Audited by Gen Agent Trust Hub on Apr 13, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill manages authentication using environment variables (
ALCHEMY_AUTH_TOKEN,ALCHEMY_API_KEY,ALCHEMY_WEBHOOK_SIGNING_KEY), which is a recommended practice for avoiding hardcoded credentials.\n- [SAFE]: Incoming webhook handling includes robust HMAC signature verification using Node.js'scryptomodule, protecting the application against message spoofing and timing attacks.\n- [SAFE]: All external communications are directed to Alchemy, a well-known service provider, and links refer to their official documentation and repositories.\n- [SAFE]: Indirect Prompt Injection surface analysis:\n - Ingestion points: The skill processes external webhook payloads via an Express endpoint in
src/webhooks/alchemy-handler.ts.\n - Boundary markers: Cryptographic signature validation via the
x-alchemy-signatureheader provides a strong trust boundary for incoming data.\n - Capability inventory: The sample code is restricted to logging and internal event routing; no dangerous tool execution or file modifications are performed using the external payload.\n
- Sanitization: Data is validated for authenticity before being parsed as structured JSON.
Audit Metadata