auto-webhooks
Configures ADO service hooks and PR Review policies for automation agents using ADO REST API, enhancing CI/CD workflows.
Install this skill
Security score
The auto-webhooks skill was audited on Jun 14, 2026 and we found 65 security issues across 3 threat categories, including 1 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 164 | ```bash |
Template literal with variable interpolation in command context
| 193 | ```bash |
Template literal with variable interpolation in command context
| 209 | **Skip for consumer profile.** Same mechanism as **2b**/**2c** — the DoR agent (`ado-cli-dor.yml`, `/dx-dor`) gets a comment trigger: a comment containing `@kai-dor` **on a User Story** fires a Servic |
Template literal with variable interpolation in command context
| 220 | ```bash |
Webhook reference - potential data exfiltration
| 2 | name: auto-webhooks |
Webhook reference - potential data exfiltration
| 27 | - For **full-hub only**: `webhooks.wi-userstory.url` (BugFix uses the Azure-native `webhooks.bugfix` comment hook — see 2c — not a WI-Router URL) |
Webhook reference - potential data exfiltration
| 28 | - Check if `webhooks.*.status` is already `configured` — skip if so |
Webhook reference - potential data exfiltration
| 34 | > **Webhook username?** (same as Lambda `BASIC_USER` set in hub's `/auto-lambda-env`) |
Webhook reference - potential data exfiltration
| 36 | > **Webhook password?** (same as Lambda `BASIC_PASS`) — secret, not stored |
Webhook reference - potential data exfiltration
| 38 | > **Webhook secret?** (same as Lambda `WEBHOOK_SECRET`) — secret, not stored |
Webhook reference - potential data exfiltration
| 86 | \"consumerId\": \"webHooks\", |
Webhook reference - potential data exfiltration
| 97 | \"httpHeaders\": \"x-webhook-secret:<WEBHOOK_SECRET>\" |
Webhook reference - potential data exfiltration
| 104 | - `webhooks.wi-userstory.subscriptionId` → returned ID |
Webhook reference - potential data exfiltration
| 105 | - `webhooks.wi-userstory.status` → `"configured"` |
Webhook reference - potential data exfiltration
| 112 | pipeline's Incoming WebHook — no Lambda, no tag hook. `bugfix` is intentionally |
Webhook reference - potential data exfiltration
| 117 | **Skip for consumer profile.** This is the only hook that does **not** route through a Lambda. SimpleAgent (`ado-cli-simple.yml`, `/dx-simple`) is triggered entirely inside ADO: a comment containing ` |
Webhook reference - potential data exfiltration
| 119 | **Prerequisite — Incoming WebHook service connection.** Names are fixed to match `ado-cli-simple.yml` (and `ado-cli-simple-router.yml`): |
Webhook reference - potential data exfiltration
| 120 | - **Webhook Name:** `kai-simple` (matches the `webhook:` alias in the pipeline) |
Webhook reference - potential data exfiltration
| 126 | > **Incoming WebHook secret?** (optional — HMAC secret shared between the Service Hook and the Incoming WebHook connection. Leave blank for none.) — secret, not stored |
Webhook reference - potential data exfiltration
| 146 | \"type\": \"incomingwebhook\", |
Webhook reference - potential data exfiltration
| 149 | \"data\": { \"webhookName\": \"kai-simple\"<SECRET_FIELD> }, |
Webhook reference - potential data exfiltration
| 158 | Where `<SECRET_FIELD>` is `, \"secret\": \"<webhook-secret>\"` when a secret was provided, or empty otherwise. `<PROJECT_ID>` is the GUID from step 0. |
Webhook reference - potential data exfiltration
| 160 | **Fallback (UI):** if the REST create is rejected (older ADO without the `incomingwebhook` endpoint type), create it manually: Project Settings → Service connections → New → **Incoming WebHook**, Webh |
Webhook reference - potential data exfiltration
| 168 | Create the Service Hook on the **"Work item commented on"** event, filtered so the **comment contains `$TRIGGER_TOKEN`**, delivering to the `kai-simple` Incoming WebHook (the pipeline's webhook resour |
Webhook reference - potential data exfiltration
| 173 | - **Single-platform projects (default):** point the hook at the **`simple`** pipeline's `kai-simple` Incoming WebHook, exactly as described above. The one dx-simple pipeline applies the change directl |
Webhook reference - potential data exfiltration
| 174 | - **Multi-repo projects:** point the hook at the **`hub`** (KAI-HUB router) Incoming WebHook (`ado-cli-hub.yml`) instead of `simple` directly. The hub parses the `@kai-<agent>` tag, runs `dx-discover- |
Webhook reference - potential data exfiltration
| 177 | - `webhooks.simple.connection` → `kai-simple-trigger-sc` |
Webhook reference - potential data exfiltration
| 178 | - `webhooks.simple.connectionId` → service connection ID (`$EXISTING_SC` or the created endpoint's `id`) |
Webhook reference - potential data exfiltration
| 179 | - `webhooks.simple.subscriptionId` → returned Service Hook ID |
Webhook reference - potential data exfiltration
| 180 | - `webhooks.simple.status` → `"configured"` |
Webhook reference - potential data exfiltration
| 184 | **Skip for consumer profile.** Identical mechanism to **2b** (SimpleAgent) — the BugFix agent (`ado-cli-bug-fix.yml`, `/dx-bug-all`) is also fully Azure-native: a comment containing `@kai-bugfix` **on |
Webhook reference - potential data exfiltration
| 186 | **Prerequisite — Incoming WebHook service connection** (names match `ado-cli-bug-fix.yml`): |
Webhook reference - potential data exfiltration
| 187 | - **Webhook Name:** `bugfixHook` (matches the `webhook:` alias) |
Webhook reference - potential data exfiltration
| 190 | Create it exactly as in 2b (idempotent `az rest` GET → POST `incomingwebhook` endpoint), substituting `kai-bugfix-trigger-sc` / `bugfixHook` for the simple names. UI fallback is the same. |
Webhook reference - potential data exfiltration
| 197 | Create the Service Hook on **"Work item commented on"** with **two** filters — comment contains `$TRIGGER_TOKEN` **AND** Work Item Type = `Bug` (the pipeline's `resources.webhooks.filters` already enf |
Webhook reference - potential data exfiltration
| 202 | - `webhooks.bugfix.connection` → `kai-bugfix-trigger-sc` |
Webhook reference - potential data exfiltration
| 203 | - `webhooks.bugfix.connectionId` → service connection ID |
Webhook reference - potential data exfiltration
| 204 | - `webhooks.bugfix.subscriptionId` → returned Service Hook ID |
Webhook reference - potential data exfiltration
| 205 | - `webhooks.bugfix.status` → `"configured"` |
Webhook reference - potential data exfiltration
| 209 | **Skip for consumer profile.** Same mechanism as **2b**/**2c** — the DoR agent (`ado-cli-dor.yml`, `/dx-dor`) gets a comment trigger: a comment containing `@kai-dor` **on a User Story** fires a Servic |
Webhook reference - potential data exfiltration
| 213 | **Prerequisite — Incoming WebHook service connection** (names match `ado-cli-dor.yml`): |
Webhook reference - potential data exfiltration
| 214 | - **Webhook Name:** `dorHook` (matches the `webhook:` alias) |
Webhook reference - potential data exfiltration
| 217 | Create it exactly as in 2b (idempotent `az rest` GET → POST `incomingwebhook` endpoint), substituting `kai-dor-trigger-sc` / `dorHook` for the simple names. UI fallback is the same. |
Webhook reference - potential data exfiltration
| 224 | Create the Service Hook on **"Work item commented on"** with **two** filters — comment contains `$TRIGGER_TOKEN` **AND** Work Item Type = `User Story` (the pipeline's `resources.webhooks.filters` alre |
Webhook reference - potential data exfiltration
| 229 | - `webhooks.dor.connection` → `kai-dor-trigger-sc` |
Webhook reference - potential data exfiltration
| 230 | - `webhooks.dor.connectionId` → service connection ID |
Webhook reference - potential data exfiltration
| 231 | - `webhooks.dor.subscriptionId` → returned Service Hook ID |
Webhook reference - potential data exfiltration
| 232 | - `webhooks.dor.status` → `"configured"` |
Webhook reference - potential data exfiltration
| 249 | \"consumerId\": \"webHooks\", |
Webhook reference - potential data exfiltration
| 260 | \"httpHeaders\": \"x-webhook-secret:<WEBHOOK_SECRET>\" |
Webhook reference - potential data exfiltration
| 266 | - `<pr-answer-url>` — for hub: from `webhooks.pr-answer.url` in infra.json. For consumer: the hub's PR Router Lambda URL (asked in step 0). |
Webhook reference - potential data exfiltration
| 271 | - `webhooks.pr-answer.subscriptionId` → returned ID |
Webhook reference - potential data exfiltration
| 272 | - `webhooks.pr-answer.status` → `"configured"` |
Webhook reference - potential data exfiltration
| 311 | - `webhooks.pr-review.policyId` → returned ID |
Webhook reference - potential data exfiltration
| 312 | - `webhooks.pr-review.status` → `"configured"` |
Webhook reference - potential data exfiltration
| 321 | ## ADO Webhooks Configured (Hub) |
Webhook reference - potential data exfiltration
| 327 | | SimpleAgent | workitem.commented (comment contains @kai-simple) | Project → pipeline Incoming WebHook (no Lambda) | kai-simple-trigger-sc | ✓ configured | |
Webhook reference - potential data exfiltration
| 328 | | BugFix | workitem.commented (comment contains @kai-bugfix, type Bug) | Project → pipeline Incoming WebHook (no Lambda) | kai-bugfix-trigger-sc | ✓ configured | |
Webhook reference - potential data exfiltration
| 329 | | DoR | workitem.commented (comment contains @kai-dor, type User Story) | Project → pipeline Incoming WebHook (no Lambda) | kai-dor-trigger-sc | ✓ configured | |
Webhook reference - potential data exfiltration
| 348 | ## ADO Webhooks Configured (Consumer) |
Webhook reference - potential data exfiltration
| 373 | 1. `/auto-webhooks` (hub project) — Creates 2 WI hooks (User Story + Bug, tag-filtered to `KAI-TRIGGER`) in the work-item ADO project (from scm.wiki-project config), 1 PR Answer hook scoped to the rep |
Webhook reference - potential data exfiltration
| 375 | 2. `/auto-webhooks` (consumer project) — Skips WI hooks (managed by hub). Creates 1 PR Answer hook scoped to this repo + base branch pointing to the hub's Lambda URL, and 1 PR Review build validation |
Webhook reference - potential data exfiltration
| 377 | 3. `/auto-webhooks` (re-run, hooks already exist) — Lists existing service hooks via `az rest`, detects that the PR Answer hook and PR Review policy already exist for this repo. Skips creation with "a |
Webhook reference - potential data exfiltration
| 404 | - **Tag-based routing** — all WI webhooks route to a single `/wi` endpoint. The WI Router Lambda scans work item tags against configured TAG_GATE_* env vars to determine which agent to invoke. No per- |
External URL reference
| 31 | > **Hub's PR Router Lambda URL?** The API Gateway URL from the hub project's infra.json (e.g., `https://<id>.execute-api.us-east-1.amazonaws.com/prod/pr-answer`). |