supabase-webhooks-events
Pass
Audited by Gen Agent Trust Hub on Mar 24, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill provides standard security implementation patterns for Supabase webhooks including signature verification and event handling.
- [SAFE]: Signature verification logic correctly implements HMAC-SHA256 validation and uses timing-safe comparisons (
crypto.timingSafeEqual) to prevent side-channel attacks. - [SAFE]: Replay attack protection is included via timestamp age verification, limiting the validity window of incoming webhooks to 5 minutes.
- [SAFE]: Secret management instructions correctly suggest using environment variables (
process.env.SUPABASE_WEBHOOK_SECRET) rather than hardcoding credentials.
Audit Metadata