aba-payway
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- Category 8: Indirect Prompt Injection (LOW): The skill provides instructions for building callback (webhook) handlers which naturally ingest untrusted data from the payment gateway.
- Ingestion points:
references/integration.mddescribes implementing endpoints at/api/payway/callbackto handle external POST/GET requests. - Boundary markers: Absent in the provided integration logic for callback parsing.
- Capability inventory: The skill itself does not have autonomous execution capabilities; it provides instructions and a local CLI utility (
scripts/payway-purchase-hash-debug.js) that usesnode:fsto read local files. - Sanitization: The skill explicitly instructs users to perform normalization and validation, such as verifying amount formats and ensuring API keys are not exposed to the client.
- Category 2: Data Exposure (SAFE): The skill handles sensitive environment variables like
ABA_PAYWAY_API_KEY. It explicitly warns against exposing these to the client-side code and uses clear placeholders in documentation. - Category 4: Unverifiable Dependencies (SAFE): The provided utility script
payway-purchase-hash-debug.jsrelies only on built-in Node.js modules (node:crypto,node:fs). No external or untrusted packages are required.
Audit Metadata