The Agent Skills Directory

[SAFE]: The skill implements industry-standard security practices for webhook verification, specifically using timing-safe comparisons (crypto.timingSafeEqual in Node.js and secrets.compare_digest in Python) to prevent timing-based side-channel attacks.
[CREDENTIALS_UNSAFE]: No hardcoded secrets were detected. The skill uses placeholders in example files and correctly instructs users to manage sensitive tokens via environment variables.
[EXTERNAL_DOWNLOADS]: The documentation references standard package installation commands for Node.js and Python. It also mentions the use of hookdeck-cli for local testing, which is a development tool provided by the skill's author.
[DATA_EXFILTRATION]: Analysis of the webhook handling logic confirms that payload data is processed locally for logging purposes. There is no evidence of the skill attempting to send sensitive system data or credentials to unauthorized external destinations.
[REMOTE_CODE_EXECUTION]: The skill does not employ dangerous functions like eval() or exec() on untrusted data, and it does not facilitate the execution of unverified remote scripts.

huggingface-webhooks