The Agent Skills Directory

[Command Execution] (LOW): The skill includes several shell scripts (setup-webhook-endpoint.sh, test-webhook-locally.sh, webhook-testing-example.sh) for project scaffolding and local development. These scripts perform standard operations such as creating directories, copying templates, and interacting with the local network via curl and stripe-cli.
[Indirect Prompt Injection] (LOW): The skill is designed to ingest external data via webhook endpoints (e.g., /webhooks/stripe in webhook_handler.py). Boundary markers are implemented via industry-standard HMAC-SHA256 signature verification. Capability inventory includes database persistence (SQLAlchemy) and local logging. Sanitization is handled through strict cryptographic verification of the payload before any business logic is executed.
[Dynamic Execution] (LOW): The setup script (setup-webhook-endpoint.sh) uses sed to customize templates at runtime, which is a standard and low-risk template-filling mechanism for development tools.
[Data Exposure & Exfiltration] (SAFE): Secret management follows security best practices by utilizing environment variables. No unauthorized data access or exfiltration patterns were identified.

webhook-security