The Agent Skills Directory

[SAFE]: The skill uses environment variables (SUMSUB_APP_TOKEN, SUMSUB_SECRET_KEY) to manage credentials, which is a standard and secure practice for CLI tools.
[SAFE]: The orchestration script manage_webhooks.sh includes a guardrail that prevents the use of production App Tokens by checking for the sbx: prefix, unless explicitly overridden, protecting the user from accidental production configuration changes.
[SAFE]: The get command implementation in manage_webhooks.sh specifically redacts the secretKey from the API response before displaying it to the user. This is a critical security measure as the Sumsub API returns these secrets in plaintext.
[SAFE]: The build_webhook_payload.py script performs comprehensive validation on webhook specifications, including a safety check that rejects local or loopback addresses. This ensures the target URL is publicly reachable by the service provider's infrastructure.
[SAFE]: Authentication is handled correctly using HMAC-SHA256 signatures generated locally with openssl, ensuring that sensitive signing operations are performed within the agent's controlled environment.
[SAFE]: The skill ingests user-provided JSON specifications for webhook operations. It mitigates potential indirect prompt injection risks by parsing the input using standard JSON libraries and performing strict validation of all fields (including enum checks for target types and algorithms) before any network activity occurs.

sumsub-manage-webhooks