replicate-webhooks
Pass
Audited by Gen Agent Trust Hub on May 13, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill provides robust security implementation patterns for webhook verification. Code examples correctly use
crypto.timingSafeEqualin Node.js andhmac.compare_digestin Python to prevent timing attacks during signature validation. - [SAFE]: Implements replay attack prevention by validating the
webhook-timestampheader against the current system time with a 5-minute window. - [EXTERNAL_DOWNLOADS]: Recommends the installation of
hookdeck-clifor local development. This is a legitimate utility provided by the skill's author (Hookdeck) for webhook tunneling and inspection. - [CREDENTIALS_UNSAFE]: The skill follows security best practices by instructing users to store sensitive secrets like
REPLICATE_WEBHOOK_SECRETin environment variables rather than hardcoding them in scripts. - [DATA_EXFILTRATION]: No suspicious network operations or data exfiltration patterns were detected. Network activity is limited to standard webhook receiving and local development tunneling.
- [PROMPT_INJECTION]: No attempts to override agent behavior or bypass safety guidelines were found in the instructions or documentation.
Audit Metadata