acp-orders-webhooks

Pass

Audited by Gen Agent Trust Hub on Mar 19, 2026

Risk Level: SAFE
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill fetches documentation and implementation guidelines from well-known and trusted services, including OpenAI's developer portal, Stripe's documentation, and GitHub.
  • [DATA_EXFILTRATION]: No hardcoded secrets or unauthorized data transfer patterns were detected. The skill conceptually describes the use of shared secrets for HMAC signing as part of a secure architecture.
  • [PROMPT_INJECTION]: The skill was evaluated for indirect prompt injection risk because it fetches external documentation to guide code generation. The risk is negligible as it targets high-reputation domains (OpenAI, Stripe) and encourages security-first implementation.
  • Ingestion points: Fetches guides from OpenAI and Stripe using WebFetch and WebSearch (SKILL.md).
  • Boundary markers: None explicitly defined for external document ingestion.
  • Capability inventory: Uses Bash, Write, and Edit tools (SKILL.md).
  • Sanitization: The skill specifically recommends implementing HMAC verification and timing-safe comparisons for processing incoming data.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 19, 2026, 07:32 AM
Security Audit — agent-trust-hub — acp-orders-webhooks