The Agent Skills Directory

[SAFE]: The skill implements robust webhook signature verification using HMAC-SHA256 with per-endpoint secrets, ensuring only authentic events from Orb are processed.
[SAFE]: Signature validation utilizes timing-safe comparison functions (crypto.timingSafeEqual in Node.js and hmac.compare_digest in Python) to prevent timing side-channel attacks.
[SAFE]: Replay protection is implemented through a timestamp freshness check, rejecting requests delivered outside of a 5-minute tolerance window.
[SAFE]: Promotes secure secret management by instructing users to store the signing secret in environment variables (ORB_WEBHOOK_SECRET) rather than hardcoding them in the source code.
[EXTERNAL_DOWNLOADS]: References the hookdeck-cli utility for local development. This is a tool provided by the vendor (hookdeck) to simplify webhook tunneling and debugging.
[EXTERNAL_DOWNLOADS]: The examples use standard packages including orb-billing, express, fastapi, and next. Several version strings in the package.json and requirements.txt files appear to be placeholders or future-dated versions (e.g., Next.js 16, Express 5), which do not pose a direct security risk.

orb-webhooks