shopify-webhooks
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: No malicious patterns, obfuscation, or data exfiltration attempts were detected in the skill source code or metadata.
- [SAFE]: The skill demonstrates best practices for security by implementing HMAC-SHA256 signature verification. It correctly utilizes timing-safe comparison functions, such as crypto.timingSafeEqual in Node.js and hmac.compare_digest in Python, to protect against timing side-channel attacks.
- [SAFE]: The provided examples correctly emphasize the use of raw request bodies for verification, which prevents common security pitfalls related to JSON re-serialization or character encoding mismatches.
- [EXTERNAL_DOWNLOADS]: The documentation references the Hookdeck CLI for local testing; since this is a tool provided by the authoring organization (hookdeck) for development purposes, it is documented neutrally and does not escalate the security verdict.
Audit Metadata