setup-webhook

Configures Vapi server URLs and webhooks for real-time call events and tool integrations, enhancing application interactivity.

Install this skill

or

0/100

Security score

The setup-webhook skill was audited on Mar 8, 2026 and we found 35 security issues across 3 threat categories, including 2 high-severity. Review the findings below before installing.

Categories Tested

Security Issues

medium line 82

Template literal with variable interpolation in command context

SourceSKILL.md

82	firstMessage: `Hello ${message.call.customer?.name \|\| "there"}!`,

medium line 123

Template literal with variable interpolation in command context

SourceSKILL.md

123	console.log(`[${message.role}]: ${message.transcript}`);

medium line 134

Template literal with variable interpolation in command context

SourceSKILL.md

134	return `Result for ${name}`;

high line 217

Piping content to bash shell

SourceSKILL.md

217	curl -sSL https://vapi.ai/install.sh \| bash

medium line 26

Curl to non-GitHub URL

SourceSKILL.md

26	curl -X PATCH https://api.vapi.ai/assistant/{id} \

medium line 38

Curl to non-GitHub URL

SourceSKILL.md

38	curl -X PATCH https://api.vapi.ai/phone-number/{id} \

medium line 217

Curl to non-GitHub URL

SourceSKILL.md

217	curl -sSL https://vapi.ai/install.sh \| bash

medium line 2

Webhook reference - potential data exfiltration

SourceSKILL.md

2	name: setup-webhook

medium line 3

Webhook reference - potential data exfiltration

SourceSKILL.md

3	description: Configure Vapi server URLs and webhooks to receive real-time call events, transcripts, tool calls, and end-of-call reports. Use when setting up webhook endpoints, building tool servers, o

medium line 11

Webhook reference - potential data exfiltration

SourceSKILL.md

11	# Vapi Webhook / Server URL Setup

medium line 19

Webhook reference - potential data exfiltration

SourceSKILL.md

19	Vapi uses "Server URLs" (webhooks) to communicate with your application. Unlike traditional one-way webhooks, Vapi server URLs support bidirectional communication — your server can respond with data t

low line 30

Webhook reference - potential data exfiltration

SourceSKILL.md

30	"serverUrl": "https://your-server.com/vapi/webhook",

low line 31

Webhook reference - potential data exfiltration

SourceSKILL.md

31	"serverUrlSecret": "your-webhook-secret"

low line 42

Webhook reference - potential data exfiltration

SourceSKILL.md

42	"serverUrl": "https://your-server.com/vapi/webhook"

medium line 64

Webhook reference - potential data exfiltration

SourceSKILL.md

64	## Webhook Server Example (Express.js)

low line 73

Webhook reference - potential data exfiltration

SourceSKILL.md

73	app.post("/vapi/webhook", (req, res) => {

low line 137

Webhook reference - potential data exfiltration

SourceSKILL.md

137	app.listen(3000, () => console.log("Webhook server running on port 3000"));

medium line 140

Webhook reference - potential data exfiltration

SourceSKILL.md

140	## Webhook Server Example (Python / Flask)

low line 147

Webhook reference - potential data exfiltration

SourceSKILL.md

147	@app.route("/vapi/webhook", methods=["POST"])

low line 148

Webhook reference - potential data exfiltration

SourceSKILL.md

148	def vapi_webhook():

medium line 189

Webhook reference - potential data exfiltration

SourceSKILL.md

189	## Webhook Authentication

medium line 191

Webhook reference - potential data exfiltration

SourceSKILL.md

191	Verify webhook authenticity using the secret:

low line 194

Webhook reference - potential data exfiltration

SourceSKILL.md

194	function verifyWebhook(req: express.Request, secret: string): boolean {

medium line 213

Webhook reference - potential data exfiltration

SourceSKILL.md

213	Use the Vapi CLI to forward webhooks to your local server:

low line 220

Webhook reference - potential data exfiltration

SourceSKILL.md

220	vapi listen --forward-to localhost:3000/vapi/webhook

medium line 247

Webhook reference - potential data exfiltration

SourceSKILL.md

247	- [Server URL Events](references/webhook-events.md) — All event types with payload schemas

medium line 249

Webhook reference - potential data exfiltration

SourceSKILL.md

249	- [Local Development](https://docs.vapi.ai/server-url/developing-locally) — Testing webhooks locally

high line 223

Ngrok tunnel reference

SourceSKILL.md

223	Or use ngrok:

medium line 226

Ngrok tunnel reference

SourceSKILL.md

226	ngrok http 3000

medium line 227

Ngrok tunnel reference

SourceSKILL.md

227	# Copy the ngrok URL and set it as your server URL

low line 26

External URL reference

SourceSKILL.md

26	curl -X PATCH https://api.vapi.ai/assistant/{id} \

low line 30

External URL reference

SourceSKILL.md

30	"serverUrl": "https://your-server.com/vapi/webhook",

low line 38

External URL reference

SourceSKILL.md

38	curl -X PATCH https://api.vapi.ai/phone-number/{id} \

low line 42

External URL reference

SourceSKILL.md

42	"serverUrl": "https://your-server.com/vapi/webhook"

low line 217

External URL reference

SourceSKILL.md

217	curl -sSL https://vapi.ai/install.sh \| bash

Scanned on Mar 8, 2026

View Security Dashboard

Installation guide →

GitHub Stars 3

Rate this skill

Categorymarketing

UpdatedMay 21, 2026

openclaw api growth-marketer product-marketer technical-pm marketing product

diegosouzapw/awesome-omni-skill