payment-async-flow
Pass
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill correctly instructs developers to use environment variables for sensitive credentials (e.g., VTEX_APP_KEY, VTEX_APP_TOKEN) rather than hardcoding secrets in the codebase.
- [SAFE]: The network operations involve sending status notifications to a callback URL provided by the platform, which is a fundamental requirement of the Payment Provider Protocol. The skill emphasizes preserving query parameters like X-VTEX-signature for authentication.
- [SAFE]: The guidelines promote security best practices such as implementing idempotency to prevent duplicate charges and using correct payment status mapping (undefined) to prevent the release of orders before payment confirmation.
- [SAFE]: Logic for calculating expiration times (delayToCancel) is based on legitimate business requirements for different payment methods (Pix, Boleto) and does not involve suspicious time-based triggers.
Audit Metadata