woocommerce-webhooks

Warn

Audited by Gen Agent Trust Hub on May 18, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: Unverifiable package versions in dependency manifests. The package.json and requirements.txt files across the Next.js, Express, and FastAPI examples specify versions for widely used packages (such as next@^16.1.6, express@^5.2.1, jest@^30.2.0, fastapi>=0.128.1, and pytest>=9.0.2) that are not yet available in the official NPM or PyPI registries. This pattern represents a security risk where an attacker could preemptively register these versions to distribute malicious code via dependency confusion.
  • [PROMPT_INJECTION]: Indirect prompt injection surface via webhook payload ingestion. The handlers in src/index.js, route.ts, and main.py ingest untrusted JSON data from external HTTP POST requests.
  • Ingestion points: request.json(), request.text(), and express.raw() are used to capture external payloads in the framework examples.
  • Boundary markers: No explicit delimiters or instructions are used to separate user-controlled data from system-level instructions within logging or processing logic.
  • Capability inventory: The skill performs logging of event IDs and types, but does not currently perform high-risk actions such as file writes or network requests using the payload data.
  • Sanitization: Payloads are validated as JSON, but individual fields are not sanitized or escaped before being logged or processed.
  • [EXTERNAL_DOWNLOADS]: Installation of vendor-specific tools. The skill recommends installing hookdeck-cli via npm or brew and references related skills within the hookdeck organization on GitHub.
  • [SAFE]: Secure implementation of webhook signature verification. The provided handlers correctly utilize crypto.timingSafeEqual (Node.js) and hmac.compare_digest (Python) to validate the X-WC-Webhook-Signature header, following industry best practices to mitigate timing-based side-channel attacks.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 18, 2026, 08:10 AM
Security Audit — agent-trust-hub — woocommerce-webhooks