openai-webhooks
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill correctly implements HMAC-SHA256 signature verification using the Standard Webhooks specification, ensuring that incoming webhooks are authentically sourced from OpenAI.
- [SAFE]: Replay attacks are mitigated by checking the 'webhook-timestamp' header against a 5-minute validity window relative to the current system time.
- [SAFE]: Side-channel timing attacks are prevented through the use of 'crypto.timingSafeEqual' in Node.js and 'hmac.compare_digest' in Python for signature validation.
- [SAFE]: Sensitive configuration is handled through environment variables (OPENAI_WEBHOOK_SECRET and OPENAI_API_KEY) with no hardcoded secrets found in the code or examples.
- [SAFE]: All identified dependencies are standard, reputable libraries for the respective ecosystems (FastAPI, Express, and Next.js).
Audit Metadata