webhooks
Facilitates the management and debugging of webhook integrations with various external services like GitHub and Stripe.
Install this skill
Security score
The webhooks skill was audited on May 12, 2026 and we found 58 security issues across 2 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
Curl to non-GitHub URL
| 72 | curl -s http://localhost:3111/ | jq .webhooks |
Curl to non-GitHub URL
| 83 | curl -X POST http://localhost:3111/webhooks/vercel \ |
Curl to non-GitHub URL
| 117 | curl -X POST "https://api.vercel.com/v1/webhooks" \ |
Webhook reference - potential data exfiltration
| 2 | name: webhooks |
Webhook reference - potential data exfiltration
| 3 | displayName: Webhooks |
Webhook reference - potential data exfiltration
| 4 | description: "Add, debug, and manage webhook providers in the joelclaw webhook gateway. Use when: adding a new webhook integration (GitHub, Stripe, Vercel, etc.), debugging webhook signature failures, |
Webhook reference - potential data exfiltration
| 7 | tags: [joelclaw, webhooks, integrations, signatures, inngest] |
Webhook reference - potential data exfiltration
| 10 | # Webhook Gateway Operations |
Webhook reference - potential data exfiltration
| 12 | Manage the joelclaw webhook gateway — add providers, debug delivery, register with external services. |
Webhook reference - potential data exfiltration
| 17 | External Service → Tailscale Funnel :443 → Worker :3111 → /webhooks/:provider |
Webhook reference - potential data exfiltration
| 21 | - **ADR-0048**: Webhook Gateway for External Service Integration |
Webhook reference - potential data exfiltration
| 28 | | todoist | comment.added, task.completed, task.created | HMAC-SHA256 (`x-todoist-hmac-sha256`) | `https://panda.tail7af24.ts.net/webhooks/todoist` | |
Webhook reference - potential data exfiltration
| 29 | | front | message.received, message.sent, assignee.changed | HMAC-SHA1 (`x-front-signature`) | `https://panda.tail7af24.ts.net/webhooks/front` | |
Webhook reference - potential data exfiltration
| 30 | | vercel | deploy.succeeded, deploy.error, deploy.created, deploy.canceled | HMAC-SHA1 (`x-vercel-signature`) | `https://panda.tail7af24.ts.net/webhooks/vercel` | |
Webhook reference - potential data exfiltration
| 31 | | github | workflow_run.completed, package.published | HMAC-SHA256 (`x-hub-signature-256`) | `https://panda.tail7af24.ts.net/webhooks/github` | |
Webhook reference - potential data exfiltration
| 33 | **Current ADR-0217 pilot note:** when `QUEUE_PILOTS=github`, the webhook gateway enqueues normalized `github/workflow_run.completed` events into the shared Redis queue instead of posting them directly |
Webhook reference - potential data exfiltration
| 40 | 1. Create `providers/{name}.ts` implementing `WebhookProvider` interface |
Webhook reference - potential data exfiltration
| 44 | 5. Store webhook secret in `agent-secrets` → add lease to `start.sh` |
Webhook reference - potential data exfiltration
| 46 | 7. Register webhook URL with external service |
Webhook reference - potential data exfiltration
| 47 | 8. Verify E2E with `curl` + real webhook |
Webhook reference - potential data exfiltration
| 53 | | `packages/system-bus/src/webhooks/types.ts` | `WebhookProvider` interface, `NormalizedEvent` type | |
Webhook reference - potential data exfiltration
| 54 | | `packages/system-bus/src/webhooks/server.ts` | Hono router — dispatches to providers, rate limiting | |
Webhook reference - potential data exfiltration
| 55 | | `packages/system-bus/src/webhooks/providers/` | Provider implementations (one file per service) | |
Webhook reference - potential data exfiltration
| 60 | | `packages/system-bus/src/serve.ts` | Worker role selection + health endpoint + webhook provider list | |
Webhook reference - potential data exfiltration
| 63 | ## Debugging Webhooks |
Webhook reference - potential data exfiltration
| 65 | ### Check if webhook is arriving |
Webhook reference - potential data exfiltration
| 69 | joelclaw logs worker --follow --grep webhook |
Webhook reference - potential data exfiltration
| 72 | curl -s http://localhost:3111/ | jq .webhooks |
Webhook reference - potential data exfiltration
| 73 | # → { endpoint: "/webhooks/:provider", providers: ["todoist", "front", "vercel"] } |
Webhook reference - potential data exfiltration
| 80 | SECRET="your-webhook-secret" |
Webhook reference - potential data exfiltration
| 81 | BODY='{"type":"test-webhook","payload":{}}' |
Webhook reference - potential data exfiltration
| 83 | curl -X POST http://localhost:3111/webhooks/vercel \ |
Webhook reference - potential data exfiltration
| 90 | - **Wrong secret** — Todoist uses `client_secret` (not "Verification token"), Vercel uses the secret from webhook creation, Front uses the rules-based secret |
Webhook reference - potential data exfiltration
| 109 | ## Registering Webhooks with Services |
Webhook reference - potential data exfiltration
| 114 | # Via Vercel dashboard: Settings → Webhooks → Create |
Webhook reference - potential data exfiltration
| 117 | curl -X POST "https://api.vercel.com/v1/webhooks" \ |
Webhook reference - potential data exfiltration
| 121 | "url": "https://panda.tail7af24.ts.net/webhooks/vercel", |
Webhook reference - potential data exfiltration
| 126 | The response includes a `secret` — store it: `secrets add vercel_webhook_secret --value "..."` |
Webhook reference - potential data exfiltration
| 130 | Set up via repo Settings → Webhooks: |
Webhook reference - potential data exfiltration
| 131 | - **URL**: `https://panda.tail7af24.ts.net/webhooks/github` |
Webhook reference - potential data exfiltration
| 133 | - **Secret**: generate one, store as `github_webhook_secret` |
Webhook reference - potential data exfiltration
| 138 | Already configured via Todoist App Console → Webhooks tab. |
Webhook reference - potential data exfiltration
| 143 | Already configured via Front Rules → "Trigger a webhook" action. |
Webhook reference - potential data exfiltration
| 144 | Rules webhooks scope to specific inboxes at the rule layer. |
Webhook reference - potential data exfiltration
| 151 | | Front | HMAC-SHA1 | base64 (over compact JSON) | `x-front-signature` | Rules webhook secret | |
Webhook reference - potential data exfiltration
| 152 | | Vercel | HMAC-SHA1 | hex | `x-vercel-signature` | Webhook creation response | |
Webhook reference - potential data exfiltration
| 153 | | GitHub | HMAC-SHA256 | hex (prefixed `sha256=`) | `x-hub-signature-256` | Webhook config secret | |
Webhook reference - potential data exfiltration
| 160 | - **Vercel webhooks are Pro/Enterprise only** — free plans cannot create account-level webhooks |
Webhook reference - potential data exfiltration
| 161 | - **Front has TWO webhook types** — App-level (SHA256, challenges) vs Rules-based (SHA1, no challenges). We use Rules-based |
External URL reference
| 28 | | todoist | comment.added, task.completed, task.created | HMAC-SHA256 (`x-todoist-hmac-sha256`) | `https://panda.tail7af24.ts.net/webhooks/todoist` | |
External URL reference
| 29 | | front | message.received, message.sent, assignee.changed | HMAC-SHA1 (`x-front-signature`) | `https://panda.tail7af24.ts.net/webhooks/front` | |
External URL reference
| 30 | | vercel | deploy.succeeded, deploy.error, deploy.created, deploy.canceled | HMAC-SHA1 (`x-vercel-signature`) | `https://panda.tail7af24.ts.net/webhooks/vercel` | |
External URL reference
| 31 | | github | workflow_run.completed, package.published | HMAC-SHA256 (`x-hub-signature-256`) | `https://panda.tail7af24.ts.net/webhooks/github` | |
External URL reference
| 72 | curl -s http://localhost:3111/ | jq .webhooks |
External URL reference
| 83 | curl -X POST http://localhost:3111/webhooks/vercel \ |
External URL reference
| 117 | curl -X POST "https://api.vercel.com/v1/webhooks" \ |
External URL reference
| 121 | "url": "https://panda.tail7af24.ts.net/webhooks/vercel", |
External URL reference
| 131 | - **URL**: `https://panda.tail7af24.ts.net/webhooks/github` |