The Agent Skills Directory

[SAFE]: The skill implements standard HMAC-SHA256 signature verification to ensure the authenticity and integrity of webhook events received from Google Gemini.
[SAFE]: Incorporates replay attack protection by verifying that the webhook-timestamp header is within a +/- 300-second window of the current server time.
[SAFE]: Utilizes timing-safe string comparison functions (crypto.timingSafeEqual in Node.js and hmac.compare_digest in Python) to prevent timing side-channel attacks during signature validation.
[SAFE]: Correctly identifies and demonstrates the necessity of using the raw request body for signature calculation, preventing common integration errors where pre-parsed JSON bodies cause verification failures.
[EXTERNAL_DOWNLOADS]: References the hookdeck-cli tool for local testing and debugging. This utility is provided by the skill's author and is used for its intended purpose of tunneling and inspecting webhook deliveries.

gemini-webhooks