integrate-hookmyapp
Pass
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the user to install the official CLI package
@gethookmyapp/clifrom the npm registry and clones a starter kit from the vendor's public GitHub repository (hookmyapp/webhook-starter-kit). These resources are provided by the official vendor and follow standard development workflows. - [COMMAND_EXECUTION]: Shell commands are used to interact with the HookMyApp CLI for workspace management, channel configuration, and diagnostic tasks. This includes setting up local tunnels and writing configuration to the
~/.config/hookmyappdirectory. - [REMOTE_CODE_EXECUTION]: The CLI tool includes a command (
--reinstall-tunnel-binary) that manages the download and installation of thecloudflaredbinary from Cloudflare. This is a well-known service and is a documented part of the tool's functionality for providing secure tunnels for local development. - [DATA_EXFILTRATION]: While the skill involves managing long-lived access tokens, it provides clear safety guidelines, explicitly warning users never to paste tokens into logs or chat interfaces. It recommends using standard secret management practices such as
.envfiles and environment-variable managers. - [SAFE]: Indirect Prompt Injection Surface: A minor surface for indirect prompt injection exists when using the
--verboseflag on listener commands, as raw webhook payloads (which could contain attacker-supplied messages) are printed to the terminal logs. - Ingestion points:
SKILL.md(viahookmyapp sandbox listen --verboseandchannels listen --verboseoutput). - Boundary markers: Absent for the log output.
- Capability inventory: The agent primarily uses shell execution for CLI management; it does not treat the content of messages as instructions for autonomous action.
- Sanitization: Not applicable to the diagnostic log stream.
Audit Metadata