The Agent Skills Directory

[SAFE]: The skill correctly implements HMAC-SHA256 signature verification to ensure the authenticity and integrity of incoming webhooks. It uses timing-safe comparison functions (crypto.timingSafeEqual in Node.js and hmac.compare_digest in Python) to mitigate timing side-channel attacks.- [SAFE]: Implements replay protection by verifying the t (timestamp) parameter in the x-knock-signature header against a 5-minute tolerance window, preventing old or intercepted payloads from being re-processed.- [EXTERNAL_DOWNLOADS]: The documentation and examples recommend using the hookdeck-cli tool for local development. This is a legitimate utility provided by the vendor for tunneling webhooks to local environments.- [CREDENTIALS_UNSAFE]: The skill follows security best practices for secret management by instructing users to use .env files for the KNOCK_WEBHOOK_SECRET and providing .env.example templates. No sensitive credentials or API keys are hardcoded in the skill content.- [REMOTE_CODE_EXECUTION]: The skill uses standard package registries (NPM and PyPI) for dependencies. While some version numbers in package.json (e.g., next@^16.2.6, typescript@^6.0.3) appear to be placeholders or future-dated, the packages themselves are standard and do not pose a remote code execution risk.- [PROMPT_INJECTION]: The skill contains no instructions that attempt to override agent behavior, bypass safety filters, or extract system prompts.

knock-webhooks