Skills
skills/jeremylongshore/claude-code-plugins-plus-skills/vastai-webhooks-events/Gen Agent Trust Hub

vastai-webhooks-events

Pass

Audited by Gen Agent Trust Hub on Mar 4, 2026

Risk Level: SAFEPROMPT_INJECTION
Full Analysis
  • [SAFE]: The skill demonstrates secure cryptographic practices by using HMAC-SHA256 and timing-safe comparisons for webhook signature verification.
  • [SAFE]: Replay protection is implemented via timestamp verification, a key security control for webhook endpoints.
  • [PROMPT_INJECTION]: The skill establishes an ingestion point for untrusted data from an external source (Vast.ai webhooks), which creates a potential surface for indirect prompt injection.
  • Ingestion points: The req.body in the Express.js implementation acts as an entry point for external data.
  • Boundary markers: The provided code templates do not include markers or instructions to treat event data as untrusted or to ignore embedded instructions.
  • Capability inventory: The skill possesses Read, Write, Edit, and Bash(curl:*) capabilities which could be leveraged if an injected instruction is executed.
  • Sanitization: There is no evidence of sanitization or validation of the event data fields before they are processed by handlers.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 4, 2026, 01:54 PM