webhook-handlers
Pass
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: LOW
Full Analysis
- Indirect Prompt Injection (SAFE): The skill is designed to process untrusted data from external webhooks. It mitigates injection risks by implementing strict signature verification. Evidence: In
templates/fastapi-endpoint.py, theverify_signaturefunction useshmac.compare_digestto validate payloads against thex-resend-signatureheader. Similarly,templates/nextjs-route.tsusescrypto.timingSafeEqualfor secure verification. These boundary markers ensure only authenticated data is processed. - Data Exposure & Exfiltration (SAFE): The
.env.examplefile contains standard configuration placeholders and lacks hardcoded secrets. Network operations in the shell scripts are limited to local testing and interaction with user-defined webhook endpoints. - Unverifiable Dependencies & Remote Code Execution (SAFE): The skill utilizes standard, well-known libraries such as FastAPI, Pydantic, and Next.js. No instances of remote code downloading (e.g.,
curl | bash) or dynamic execution (eval,exec) were identified. - Obfuscation (SAFE): All files contain clear, readable source code without any encoding, homoglyphs, or hidden characters intended to bypass security scans.
Audit Metadata