The Agent Skills Directory

[SAFE]: The skill communicates exclusively with the official InFlow platform domains (api.inflowpay.ai, sandbox.inflowpay.ai) for API operations and SDK loading.
[SAFE]: Implements a 'Hard Backend Gate' policy that strictly prohibits the use of the INFLOW_API_KEY in frontend code, mitigating the risk of credential exposure.
[SAFE]: Provides clear guidance on implementing HMAC-SHA256 signature verification for webhook endpoints to ensure the integrity and authenticity of payment notifications.
[SAFE]: Indirect prompt injection risk is evaluated as safe; ingestion points include webhook payloads and API responses (SKILL.md, references/flows.md); while no explicit boundary markers are used in provided examples, the skill relies on structured JSON processing and implements sanitization via mandatory HMAC signature verification.

inflow-payments