convex-http-actions

Facilitates external API integration and webhook handling with customizable HTTP endpoints in Convex applications.

Install this skill

or

16/100

Security score

The convex-http-actions skill was audited on Mar 1, 2026 and we found 36 security issues across 3 threat categories. Review the findings below before installing.

Categories Tested

Security Issues

medium line 640

Template literal with variable interpolation in command context

SourceSKILL.md

640	name: `${event.data.first_name} ${event.data.last_name}`,

medium line 648

Template literal with variable interpolation in command context

SourceSKILL.md

648	name: `${event.data.first_name} ${event.data.last_name}`,

medium line 4

Webhook reference - potential data exfiltration

SourceSKILL.md

4	description: External API integration and webhook handling including HTTP endpoint routing, request/response handling, authentication, CORS configuration, and webhook signature validation

medium line 7

Webhook reference - potential data exfiltration

SourceSKILL.md

7	tags: [convex, http, actions, webhooks, api, endpoints]

medium line 12

Webhook reference - potential data exfiltration

SourceSKILL.md

12	Build HTTP endpoints for webhooks, external API integrations, and custom routes in Convex applications.

medium line 29

Webhook reference - potential data exfiltration

SourceSKILL.md

29	- Receive webhooks from third-party services

medium line 222

Webhook reference - potential data exfiltration

SourceSKILL.md

222	### Webhook Handling

low line 232

Webhook reference - potential data exfiltration

SourceSKILL.md

232	// Stripe webhook

low line 234

Webhook reference - potential data exfiltration

SourceSKILL.md

234	path: "/webhooks/stripe",

low line 244

Webhook reference - potential data exfiltration

SourceSKILL.md

244	// Verify webhook signature (in action with Node.js)

low line 246

Webhook reference - potential data exfiltration

SourceSKILL.md

246	await ctx.runAction(internal.stripe.verifyAndProcessWebhook, {

low line 252

Webhook reference - potential data exfiltration

SourceSKILL.md

252	console.error("Webhook error:", error);

low line 253

Webhook reference - potential data exfiltration

SourceSKILL.md

253	return new Response("Webhook error", { status: 400 });

low line 258

Webhook reference - potential data exfiltration

SourceSKILL.md

258	// GitHub webhook

low line 260

Webhook reference - potential data exfiltration

SourceSKILL.md

260	path: "/webhooks/github",

low line 272

Webhook reference - potential data exfiltration

SourceSKILL.md

272	await ctx.runAction(internal.github.processWebhook, {

medium line 285

Webhook reference - potential data exfiltration

SourceSKILL.md

285	### Webhook Signature Verification

low line 298

Webhook reference - potential data exfiltration

SourceSKILL.md

298	export const verifyAndProcessWebhook = internalAction({

low line 305

Webhook reference - potential data exfiltration

SourceSKILL.md

305	const webhookSecret = process.env.STRIPE_WEBHOOK_SECRET!;

low line 308

Webhook reference - potential data exfiltration

SourceSKILL.md

308	const event = stripe.webhooks.constructEvent(

low line 311

Webhook reference - potential data exfiltration

SourceSKILL.md

311	webhookSecret

medium line 565

Webhook reference - potential data exfiltration

SourceSKILL.md

565	### Complete Webhook Integration

low line 575

Webhook reference - potential data exfiltration

SourceSKILL.md

575	// Clerk webhook for user sync

low line 577

Webhook reference - potential data exfiltration

SourceSKILL.md

577	path: "/webhooks/clerk",

low line 599

Webhook reference - potential data exfiltration

SourceSKILL.md

599	console.error("Clerk webhook error:", error);

low line 600

Webhook reference - potential data exfiltration

SourceSKILL.md

600	return new Response("Webhook verification failed", { status: 400 });

low line 615

Webhook reference - potential data exfiltration

SourceSKILL.md

615	import { Webhook } from "svix";

low line 626

Webhook reference - potential data exfiltration

SourceSKILL.md

626	const webhookSecret = process.env.CLERK_WEBHOOK_SECRET!;

low line 627

Webhook reference - potential data exfiltration

SourceSKILL.md

627	const wh = new Webhook(webhookSecret);

low line 683

Webhook reference - potential data exfiltration

SourceSKILL.md

683	webhookEvents: defineTable({

medium line 713

Webhook reference - potential data exfiltration

SourceSKILL.md

713	- Verify webhook signatures before processing

medium line 714

Webhook reference - potential data exfiltration

SourceSKILL.md

714	- Log webhook events for debugging

medium line 721

Webhook reference - potential data exfiltration

SourceSKILL.md

721	2. Not validating webhook signatures - Security vulnerability

low line 296

Access to .env file

SourceSKILL.md

296	const stripe = new Stripe(process.env.STRIPE_SECRET_KEY!);

low line 305

Access to .env file

SourceSKILL.md

305	const webhookSecret = process.env.STRIPE_WEBHOOK_SECRET!;

low line 626

Access to .env file

SourceSKILL.md

626	const webhookSecret = process.env.CLERK_WEBHOOK_SECRET!;

Scanned on Mar 1, 2026

View Security Dashboard

Install this skill with one command

/learn @debsouryadatta/convex-http-actions

GitHub Stars 1

Rate this skill

Categorydevelopment

UpdatedMarch 29, 2026

openclaw api backend backend-developer devops-sre data-engineer development

debsouryadatta/memo-hack