acp-orders-webhooks
Pass
Audited by Gen Agent Trust Hub on Mar 19, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill fetches documentation and implementation guidelines from well-known and trusted services, including OpenAI's developer portal, Stripe's documentation, and GitHub.
- [DATA_EXFILTRATION]: No hardcoded secrets or unauthorized data transfer patterns were detected. The skill conceptually describes the use of shared secrets for HMAC signing as part of a secure architecture.
- [PROMPT_INJECTION]: The skill was evaluated for indirect prompt injection risk because it fetches external documentation to guide code generation. The risk is negligible as it targets high-reputation domains (OpenAI, Stripe) and encourages security-first implementation.
- Ingestion points: Fetches guides from OpenAI and Stripe using WebFetch and WebSearch (SKILL.md).
- Boundary markers: None explicitly defined for external document ingestion.
- Capability inventory: Uses Bash, Write, and Edit tools (SKILL.md).
- Sanitization: The skill specifically recommends implementing HMAC verification and timing-safe comparisons for processing incoming data.
Audit Metadata