payment-integration
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADS
Full Analysis
- [Unverifiable Dependencies] (LOW): The skill documentation recommends installing external packages and SDKs from organizations not on the trusted list, such as
github:sepay/sepay-pg-node,@polar-sh/sdk, andpolar-sdk. While these are the official libraries for the services being integrated, they are treated as unverifiable by the static analysis policy. Severity is downgraded from Medium to Low as these are essential to the primary purpose of the skill. - [Indirect Prompt Injection] (LOW): The helper scripts ingest untrusted JSON data from payment webhooks.
- Ingestion points:
scripts/sepay-webhook-verify.jsandscripts/polar-webhook-verify.jsaccept JSON payloads via command-line arguments. - Boundary markers: Payloads are parsed using standard JSON utilities.
- Capability inventory: The scripts are limited to cryptographic verification and data extraction; no dangerous capabilities like arbitrary shell execution or file system writes are present in the processing path.
- Sanitization: The scripts perform schema validation, checking for required fields (e.g.,
id,transferAmount) and expected data types before processing. - [Data Exposure & Exfiltration] (SAFE): No hardcoded credentials or sensitive data leaks were found. The skill correctly uses environment variables for API keys and secrets, providing a
.env.examplefor configuration.
Audit Metadata