Skip to main content

webflow-webhooks

Enables the receipt and verification of Webflow webhooks for various events, enhancing integration and automation capabilities.

Install this skill

or
7/100

Security score

The webflow-webhooks skill was audited on Mar 8, 2026 and we found 25 security issues across 4 threat categories. Review the findings below before installing.

Categories Tested

Security Issues

medium line 40

Template literal with variable interpolation in command context

SourceSKILL.md
40const signedContent = `${timestamp}:${rawBody}`;
medium line 2

Webhook reference - potential data exfiltration

SourceSKILL.md
2name: webflow-webhooks
medium line 3

Webhook reference - potential data exfiltration

SourceSKILL.md
3description: Receive and verify Webflow webhooks. Use when setting up Webflow webhook handlers, debugging signature verification, or handling Webflow events like form_submission, site_publish, ecomm_n
medium line 8

Webhook reference - potential data exfiltration

SourceSKILL.md
8url: "https://skills.224ai.au/webflow-webhooks.skill"
medium line 10

Webhook reference - potential data exfiltration

SourceSKILL.md
10keywords: "ai, agent, skill, webhooks, signature verification, webflow, form submission, site publish, ecomm order, collection item"
medium line 13

Webhook reference - potential data exfiltration

SourceSKILL.md
13# Webflow Webhooks
medium line 15

Webhook reference - potential data exfiltration

SourceSKILL.md
15Receive, verify, and process Webflow webhook events for form submissions, CMS changes, ecommerce orders, site publishing, and more.
medium line 19

Webhook reference - potential data exfiltration

SourceSKILL.md
19> **Prerequisite:** You need a Webflow account with an active site. For signature verification, create webhooks via the API (not the dashboard) — see [Setup](references/setup.md).
medium line 21

Webhook reference - potential data exfiltration

SourceSKILL.md
211. **Create webhook**: Register a webhook via the Webflow API for your desired event type
low line 61

Webhook reference - potential data exfiltration

SourceSKILL.md
61app.post('/webhooks/webflow', express.raw({ type: 'application/json' }), (req, res) => {
low line 73

Webhook reference - potential data exfiltration

SourceSKILL.md
73process.env.WEBFLOW_WEBHOOK_SECRET
medium line 103

Webhook reference - potential data exfiltration

SourceSKILL.md
103Webflow supports 14 webhook event types across 6 categories: Forms, Site, Pages, Ecommerce, CMS, and Comments. See **[references/event-types.md](references/event-types.md)** for the complete reference
low line 117

Webhook reference - potential data exfiltration

SourceSKILL.md
117# For webhooks created via OAuth App
low line 118

Webhook reference - potential data exfiltration

SourceSKILL.md
118WEBFLOW_WEBHOOK_SECRET=your_oauth_client_secret
low line 120

Webhook reference - potential data exfiltration

SourceSKILL.md
120# For webhooks created via API (after April 2025)
low line 121

Webhook reference - potential data exfiltration

SourceSKILL.md
121WEBFLOW_WEBHOOK_SECRET=whsec_xxxxx # Returned when creating webhook
medium line 126

Webhook reference - potential data exfiltration

SourceSKILL.md
1261. **Always verify signatures**: Use HMAC-SHA256 verification for webhooks created via OAuth or API — see [Verification](references/verification.md)
medium line 131

Webhook reference - potential data exfiltration

SourceSKILL.md
1316. **Use HTTPS in production**: Webhook endpoints must use HTTPS for security
medium line 135

Webhook reference - potential data exfiltration

SourceSKILL.md
135- **Never handle secrets in plain text.** API tokens, OAuth client secrets, and webhook signing secrets must always be stored in environment variables or a secrets manager. Never ask the user for toke
medium line 136

Webhook reference - potential data exfiltration

SourceSKILL.md
136- Webhooks created through the Webflow dashboard do NOT include signature headers
medium line 137

Webhook reference - potential data exfiltration

SourceSKILL.md
137- Only webhooks created via OAuth apps or API include `x-webflow-signature` and `x-webflow-timestamp`
medium line 146

Webhook reference - potential data exfiltration

SourceSKILL.md
146- **[references/webhook-api.md](references/webhook-api.md)**: REST API v2 endpoints for creating, listing, getting, and deleting webhooks
medium line 147

Webhook reference - potential data exfiltration

SourceSKILL.md
147- **[references/overview.md](references/overview.md)**: Webhook concepts, delivery behavior, limits, and security considerations
low line 73

Access to .env file

SourceSKILL.md
73process.env.WEBFLOW_WEBHOOK_SECRET
low line 8

External URL reference

SourceSKILL.md
8url: "https://skills.224ai.au/webflow-webhooks.skill"
Scanned on Mar 8, 2026
View Security Dashboard

Install this skill with one command

/learn @224-industries/webflow-webhooks
GitHub Stars 6
Rate this skill
Categorydevelopment
UpdatedMarch 29, 2026
openclawapibackendfrontend-developerbackend-developerproduct-managergrowth-marketerux-designerdevelopmentproductmarketingdesign
224-Industries/webflow-skills