slack-webhooks
Pass
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill provides robust implementations for Slack signature verification using HMAC-SHA256. It correctly employs timing-safe comparison functions (
crypto.timingSafeEqualin JavaScript andhmac.compare_digestin Python) to mitigate side-channel timing attacks. - [SAFE]: Signature verification is performed using the raw request body, preventing common errors where JSON re-stringification alters the payload and causes verification failures.
- [SAFE]: Implements replay protection by validating the
X-Slack-Request-Timestampheader, rejecting any requests outside a 5-minute window relative to the server time. - [SAFE]: Promotes secure credential management by instructing users to store sensitive signing secrets in environment variables rather than hardcoding them in source code.
- [SAFE]: The skill uses reputable, well-known dependencies for its web server and testing frameworks. References to external tools are limited to the author's own development CLI (
hookdeck-cli) for local webhook forwarding.
Audit Metadata