paddle-webhooks
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface as it is designed to ingest and process untrusted data from external webhooks.
- Ingestion points: POST /webhooks/paddle endpoints defined in examples/express/src/index.js, examples/fastapi/main.py, and examples/nextjs/app/webhooks/paddle/route.ts.
- Boundary markers: The skill implements HMAC SHA-256 signature verification using the paddle-signature header and a secret key, which acts as a robust boundary for validating request authenticity.
- Capability inventory: The webhook handlers log event IDs and event types to the console; no dangerous capabilities like subprocess execution, file system modification, or arbitrary code execution were identified.
- Sanitization: JSON payloads are parsed only after the cryptographic signature has been verified.
- [EXTERNAL_DOWNLOADS]: The skill configuration and documentation reference official Paddle SDKs and the Hookdeck CLI. These are well-known and trusted resources for developers working with webhooks.
- [SAFE]: The provided code samples follow security best practices, such as using timing-safe comparison functions (timingSafeEqual and compare_digest) to prevent side-channel attacks. No hardcoded secrets, malicious instructions, or obfuscated code were detected.
Audit Metadata