cursor-webhooks
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill implements robust security controls for webhook processing.
- Evidence: All signature verification logic (found in
SKILL.md,examples/express/src/index.js,examples/fastapi/main.py, andexamples/nextjs/app/webhooks/cursor/route.ts) correctly uses timing-safe equality checks (crypto.timingSafeEqualandhmac.compare_digest) to prevent timing side-channel attacks. - Evidence: The skill properly instructs users to access the raw request body to ensure accurate HMAC calculation, avoiding common pitfalls where pre-parsed JSON bodies cause signature mismatches.- [EXTERNAL_DOWNLOADS]: The skill references established packages and tools.
- Evidence: Recommends the use of
hookdeck-cli, a legitimate tool from the vendor's own organization for webhook debugging and local tunneling. - Evidence: Dependencies such as
fastapi,express, andnextare sourced from official registries, though some version numbers cited (e.g.,next@^16.1.6,pytest>=9.0.2) appear ahead of current stable releases.
Audit Metadata