setup-webhook

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [HIGH] data_exfiltration: Outbound data post or form upload via curl/wget detected (NW002) [AITech 8.2.3] [HIGH] data_exfiltration: Outbound data post or form upload via curl/wget detected (NW002) [AITech 8.2.3] The provided documentation and example webhook servers implement the intended functionality and include reasonable webhook authentication patterns (HMAC + timing-safe compare). There is no direct evidence in these examples of malicious code, credential harvesting, or obfuscated/backdoor behavior. Primary security issues are supply-chain and operational: use of pipe-to-shell (curl|bash) and unpinned npx installations (recommend adding checksums/signatures and pinned versions), potential signature verification brittleness due to JSON.stringify usage (recommend verifying raw request body), and guidance to avoid committing secrets and to limit tunnel exposure. Overall: not malicious, but moderate security risk due to install and operational guidance that could be improved. LLM verification: This SKILL.md is documentation and example code for setting up Vapi webhooks. The functionality described is consistent with the stated purpose (receiving call events and responding to assistant-request/tool-calls). The primary security concerns are a pipe-to-shell install instruction (curl https://vapi.ai/install.sh | bash) which is a supply-chain risk, example code that logs potentially sensitive call transcripts and metadata, and encouragement to use API keys directly in shell commands (crede