clerk-webhooks-events
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: No malicious patterns or security vulnerabilities were identified. The skill correctly guides the user to implement Clerk webhooks using industry-standard security practices.
- [PROMPT_INJECTION]: The skill defines an interface for receiving and processing untrusted data from an external source (Clerk webhooks).
- Ingestion points: The
POSTroute inapp/api/webhooks/clerk/route.tsingests a JSON payload from an HTTP request. - Boundary markers: The skill mandates the use of Svix signature headers (
svix-id,svix-timestamp,svix-signature) to verify the authenticity of the sender before processing. - Capability inventory: The skill performs database writes (create/update/delete) and sends emails based on the received event types.
- Sanitization: Authenticity is verified via
wh.verify(). The skill assumes the schema provided by Clerk's API.
Audit Metadata