The Agent Skills Directory

[SAFE]: The implementation instructions demonstrate secure coding practices by requiring HMAC-SHA256 signature verification for all incoming webhooks. The code uses crypto.timingSafeEqual to prevent timing attacks during the verification process.
[SAFE]: The skill correctly instructs the user to manage sensitive information, such as API keys and webhook secrets, using environment variables (process.env.JUICEBOX_API_KEY, process.env.JUICEBOX_WEBHOOK_SECRET) instead of hardcoding them in the source code.
[SAFE]: External dependencies such as @juicebox/sdk, express, and bullmq are standard, industry-recognized libraries for the tasks described. No suspicious or unversioned package installations were detected.
[SAFE]: While the skill processes untrusted external data (webhook payloads), the combination of signature verification and structured processing minimizes the risk of indirect prompt injection or other data-driven attacks.

juicebox-webhooks-events