payment-integration
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- Indirect Prompt Injection (SAFE): The skill possesses a data ingestion surface through its helper scripts.
- Ingestion points: Command-line arguments in
scripts/checkout-helper.js,scripts/sepay-webhook-verify.js, andscripts/polar-webhook-verify.js. - Boundary markers: Absent.
- Capability inventory: Generation of HTML form strings and cURL command strings; no direct execution of shell commands.
- Sanitization: Absent; values are interpolated directly into code templates, but the logic is intended for local developer use.
- Data Exposure (SAFE): No hardcoded secrets, private keys, or sensitive file paths were detected. The skill uses environment variables with provided example templates.
- Command Execution (SAFE): Helper scripts utilize built-in Node.js libraries for data validation and cryptographic operations without spawning subprocesses or performing unsafe dynamic execution.
Audit Metadata