setup-toyyibpay
Pass
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [SAFE]: The skill mandates robust security protocols for payment processing, including mandatory server-side hashing for callback validation and strict separation of sandbox and production environments.
- [COMMAND_EXECUTION]: Suggests standard use of npx wrangler for managing Cloudflare Worker secrets, which is a common and safe developer workflow.
- [EXTERNAL_DOWNLOADS]: References official toyyibPay API documentation, manuals, and well-known service repositories (WordPress.org) to provide factual integration guidance.
- [PROMPT_INJECTION]: Documents an indirect prompt injection surface through ingestion of external documentation. 1. Ingestion points: references/toyyibpay-docs.md (links to PDFs and plugin source). 2. Boundary markers: The skill instructions bound the usage to factual reference and code synthesis. 3. Capability inventory: CLI secret management via npx wrangler. 4. Sanitization: Implements strict callback verification logic to mitigate untrusted inputs.
- [SAFE]: Includes a referral link for account registration with clear instructions to the agent to disclose its nature and ensure its use is optional for the user.
Audit Metadata