The Agent Skills Directory

[SAFE]: The skill enforces cryptographic signature verification using the verifyWebhook function and the svix library, which is the primary security control for preventing unauthorized webhook events.
[SAFE]: Sensitive information, such as CLERK_WEBHOOK_SECRET, RESEND_API_KEY, and SLACK_WEBHOOK_URL, is managed through environment variables rather than hardcoded strings.
[SAFE]: The skill identifies and explains common security pitfalls, such as the requirement for raw body parsing in Express.js to ensure signature integrity.
[SAFE]: Indirect Prompt Injection Surface:
Ingestion points: The skill processes external data via webhook POST requests arriving at /api/webhooks or similar endpoints.
Boundary markers: Cryptographic signature verification is strictly mandated in all examples, serving as a robust trust boundary.
Capability inventory: The examples demonstrate database writes (using Prisma) and outbound network requests to trusted services like Slack and Resend.
Sanitization: Data from the verified payload is accessed programmatically (e.g., evt.data.email_addresses[0]), which minimizes the risk of direct instruction injection compared to raw text interpolation.

clerk-webhooks