webhook-subscriptions

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt explicitly shows passing a secret on the command line (--secret "optional-custom-secret") and describes returning/propagating HMAC secrets (e.g., "Returns the webhook URL and HMAC secret" and instructing users to paste that secret into service settings), which would require the agent to output secret values verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The webhook adapter explicitly accepts POSTs from external services (e.g., GitHub, GitLab, Stripe, monitoring tools) and formats the incoming JSON payload—or dumps the full payload if no prompt is specified—into the agent prompt (see "Prompt Templates", "Common Patterns", and "How It Works"), so untrusted third-party content can directly influence agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill accepts external webhook POSTs to the returned webhook URL (e.g., the public webhook_url you give to services such as https:///webhook or a tunnel URL like https://.ngrok.io), and the JSON payloads from GitHub/GitLab/Stripe/CI/etc. are rendered into or fully injected as agent prompts at runtime, so external content directly controls the agent's prompts.