webhook-development

Facilitates the development of robust webhook systems for event-driven integrations, ensuring reliable delivery and security.

Install this skill

or

0/100

Security score

The webhook-development skill was audited on Feb 12, 2026 and we found 112 security issues across 3 threat categories. Review the findings below before installing.

Categories Tested

Security Issues

medium line 106

Template literal with variable interpolation in command context

SourceSKILL.md

106	id: `evt_${Date.now()}`,

medium line 159

Template literal with variable interpolation in command context

SourceSKILL.md

159	throw new Error(`HTTP ${response.status}`);

medium line 228

Template literal with variable interpolation in command context

SourceSKILL.md

228	id: `evt_test_${Date.now()}`,

medium line 2

Webhook reference - potential data exfiltration

SourceSKILL.md

2	name: webhook-development

medium line 3

Webhook reference - potential data exfiltration

SourceSKILL.md

3	description: Implement webhook systems for event-driven integration with retry logic, signature verification, and delivery guarantees. Use when creating event notification systems, integrating with ex

medium line 6

Webhook reference - potential data exfiltration

SourceSKILL.md

6	# Webhook Development

medium line 10

Webhook reference - potential data exfiltration

SourceSKILL.md

10	Build reliable webhook systems with event delivery, signature verification, retry logic, and dead-letter handling for asynchronous integrations.

medium line 23

Webhook reference - potential data exfiltration

SourceSKILL.md

23	### 1. Webhook Event Schema

medium line 50

Webhook reference - potential data exfiltration

SourceSKILL.md

50	### 2. Node.js Webhook Service

low line 61

Webhook reference - potential data exfiltration

SourceSKILL.md

61	const WEBHOOK_SECRET = process.env.WEBHOOK_SECRET;

low line 62

Webhook reference - potential data exfiltration

SourceSKILL.md

62	const webhookQueue = new Bull('webhooks', {

low line 66

Webhook reference - potential data exfiltration

SourceSKILL.md

66	// Register webhook subscription

low line 67

Webhook reference - potential data exfiltration

SourceSKILL.md

67	app.post('/api/webhooks/subscribe', async (req, res) => {

low line 77

Webhook reference - potential data exfiltration

SourceSKILL.md

77	const webhook = {

low line 88

Webhook reference - potential data exfiltration

SourceSKILL.md

88	await WebhookSubscription.create(webhook);

low line 91

Webhook reference - potential data exfiltration

SourceSKILL.md

91	id: webhook.id,

low line 92

Webhook reference - potential data exfiltration

SourceSKILL.md

92	secret: webhook.secret,

low line 93

Webhook reference - potential data exfiltration

SourceSKILL.md

93	message: 'Webhook registered successfully'

low line 97

Webhook reference - potential data exfiltration

SourceSKILL.md

97	// Send webhook event

low line 98

Webhook reference - potential data exfiltration

SourceSKILL.md

98	const sendWebhookEvent = async (eventType, data) => {

low line 99

Webhook reference - potential data exfiltration

SourceSKILL.md

99	const webhooks = await WebhookSubscription.find({

low line 104

Webhook reference - potential data exfiltration

SourceSKILL.md

104	for (const webhook of webhooks) {

low line 116

Webhook reference - potential data exfiltration

SourceSKILL.md

116	await webhookQueue.add(

low line 117

Webhook reference - potential data exfiltration

SourceSKILL.md

117	{ webhook, event },

low line 130

Webhook reference - potential data exfiltration

SourceSKILL.md

130	// Process webhook queue

low line 131

Webhook reference - potential data exfiltration

SourceSKILL.md

131	webhookQueue.process(async (job) => {

low line 132

Webhook reference - potential data exfiltration

SourceSKILL.md

132	const { webhook, event } = job.data;

low line 135

Webhook reference - potential data exfiltration

SourceSKILL.md

135	const signature = generateSignature(event, webhook.secret);

low line 137

Webhook reference - potential data exfiltration

SourceSKILL.md

137	const response = await axios.post(webhook.url, event, {

low line 140

Webhook reference - potential data exfiltration

SourceSKILL.md

140	'X-Webhook-Signature': signature,

low line 141

Webhook reference - potential data exfiltration

SourceSKILL.md

141	'X-Webhook-ID': event.id,

low line 142

Webhook reference - potential data exfiltration

SourceSKILL.md

142	'X-Webhook-Attempt': event.attempt

low line 149

Webhook reference - potential data exfiltration

SourceSKILL.md

149	await WebhookDelivery.create({

low line 150

Webhook reference - potential data exfiltration

SourceSKILL.md

150	webhookId: webhook.id,

low line 167

Webhook reference - potential data exfiltration

SourceSKILL.md

167	webhookId: webhook.id,

low line 175

Webhook reference - potential data exfiltration

SourceSKILL.md

175	webhook.failureCount++;

low line 176

Webhook reference - potential data exfiltration

SourceSKILL.md

176	if (webhook.failureCount >= 10) {

low line 177

Webhook reference - potential data exfiltration

SourceSKILL.md

177	webhook.active = false;

low line 179

Webhook reference - potential data exfiltration

SourceSKILL.md

179	await webhook.save();

low line 184

Webhook reference - potential data exfiltration

SourceSKILL.md

184	// Webhook endpoint (receiving webhooks)

low line 185

Webhook reference - potential data exfiltration

SourceSKILL.md

185	app.post('/webhooks/:id', async (req, res) => {

low line 186

Webhook reference - potential data exfiltration

SourceSKILL.md

186	const signature = req.headers['x-webhook-signature'];

low line 187

Webhook reference - potential data exfiltration

SourceSKILL.md

187	const webhookId = req.params.id;

low line 191

Webhook reference - potential data exfiltration

SourceSKILL.md

191	const webhook = await WebhookSubscription.findOne({ id: webhookId });

low line 192

Webhook reference - potential data exfiltration

SourceSKILL.md

192	if (!webhook) {

low line 193

Webhook reference - potential data exfiltration

SourceSKILL.md

193	return res.status(404).json({ error: 'Webhook not found' });

low line 197

Webhook reference - potential data exfiltration

SourceSKILL.md

197	const expectedSignature = generateSignature(event, webhook.secret);

low line 203

Webhook reference - potential data exfiltration

SourceSKILL.md

203	console.log('Received webhook event:', event);

low line 217

Webhook reference - potential data exfiltration

SourceSKILL.md

217	// List webhook subscriptions

low line 218

Webhook reference - potential data exfiltration

SourceSKILL.md

218	app.get('/api/webhooks', async (req, res) => {

low line 219

Webhook reference - potential data exfiltration

SourceSKILL.md

219	const webhooks = await WebhookSubscription.find({}, { secret: 0 });

low line 220

Webhook reference - potential data exfiltration

SourceSKILL.md

220	res.json(webhooks);

low line 223

Webhook reference - potential data exfiltration

SourceSKILL.md

223	// Test webhook delivery

low line 224

Webhook reference - potential data exfiltration

SourceSKILL.md

224	app.post('/api/webhooks/:id/test', async (req, res) => {

low line 225

Webhook reference - potential data exfiltration

SourceSKILL.md

225	const webhook = await WebhookSubscription.findOne({ id: req.params.id });

low line 230

Webhook reference - potential data exfiltration

SourceSKILL.md

230	event: 'webhook.test',

low line 234

Webhook reference - potential data exfiltration

SourceSKILL.md

234	await webhookQueue.add({ webhook, event: testEvent });

low line 240

Webhook reference - potential data exfiltration

SourceSKILL.md

240	app.post('/api/webhooks/deliveries/:id/retry', async (req, res) => {

low line 241

Webhook reference - potential data exfiltration

SourceSKILL.md

241	const delivery = await WebhookDelivery.findOne({ _id: req.params.id });

low line 246

Webhook reference - potential data exfiltration

SourceSKILL.md

246	const webhook = await WebhookSubscription.findOne({ id: delivery.webhookId });

low line 249

Webhook reference - potential data exfiltration

SourceSKILL.md

249	await webhookQueue.add({ webhook, event });

low line 254

Webhook reference - potential data exfiltration

SourceSKILL.md

254	// List webhook deliveries

low line 255

Webhook reference - potential data exfiltration

SourceSKILL.md

255	app.get('/api/webhooks/:id/deliveries', async (req, res) => {

low line 256

Webhook reference - potential data exfiltration

SourceSKILL.md

256	const deliveries = await WebhookDelivery.find({

low line 257

Webhook reference - potential data exfiltration

SourceSKILL.md

257	webhookId: req.params.id

low line 267

Webhook reference - potential data exfiltration

SourceSKILL.md

267	// Send webhook event

low line 268

Webhook reference - potential data exfiltration

SourceSKILL.md

268	await sendWebhookEvent('order.created', {

medium line 281

Webhook reference - potential data exfiltration

SourceSKILL.md

281	### 3. Python Webhook Handler

low line 296

Webhook reference - potential data exfiltration

SourceSKILL.md

296	class WebhookSubscription:

low line 313

Webhook reference - potential data exfiltration

SourceSKILL.md

313	@app.route('/api/webhooks/subscribe', methods=['POST'])

low line 314

Webhook reference - potential data exfiltration

SourceSKILL.md

314	def subscribe_webhook():

low line 320

Webhook reference - potential data exfiltration

SourceSKILL.md

320	webhook = WebhookSubscription(

low line 328

Webhook reference - potential data exfiltration

SourceSKILL.md

328	db.session.add(webhook)

low line 332

Webhook reference - potential data exfiltration

SourceSKILL.md

332	'id': webhook.id,

low line 333

Webhook reference - potential data exfiltration

SourceSKILL.md

333	'secret': webhook.secret,

low line 334

Webhook reference - potential data exfiltration

SourceSKILL.md

334	'message': 'Webhook registered'

low line 338

Webhook reference - potential data exfiltration

SourceSKILL.md

338	def deliver_webhook(self, webhook_id, event):

low line 339

Webhook reference - potential data exfiltration

SourceSKILL.md

339	webhook = WebhookSubscription.query.get(webhook_id)

low line 340

Webhook reference - potential data exfiltration

SourceSKILL.md

340	if not webhook:

low line 343

Webhook reference - potential data exfiltration

SourceSKILL.md

343	signature = generate_signature(event, webhook.secret)

low line 347

Webhook reference - potential data exfiltration

SourceSKILL.md

347	webhook.url,

low line 351

Webhook reference - potential data exfiltration

SourceSKILL.md

351	'X-Webhook-Signature': signature,

low line 352

Webhook reference - potential data exfiltration

SourceSKILL.md

352	'X-Webhook-ID': event['id'],

low line 353

Webhook reference - potential data exfiltration

SourceSKILL.md

353	'X-Webhook-Attempt': str(event.get('attempt', 1))

low line 359

Webhook reference - potential data exfiltration

SourceSKILL.md

359	WebhookDelivery.create(

low line 360

Webhook reference - potential data exfiltration

SourceSKILL.md

360	webhook_id=webhook_id,

low line 373

Webhook reference - potential data exfiltration

SourceSKILL.md

373	@app.route('/webhooks/<webhook_id>', methods=['POST'])

low line 374

Webhook reference - potential data exfiltration

SourceSKILL.md

374	def receive_webhook(webhook_id):

low line 375

Webhook reference - potential data exfiltration

SourceSKILL.md

375	signature = request.headers.get('X-Webhook-Signature')

low line 378

Webhook reference - potential data exfiltration

SourceSKILL.md

378	webhook = WebhookSubscription.query.get(webhook_id)

low line 379

Webhook reference - potential data exfiltration

SourceSKILL.md

379	if not webhook:

low line 382

Webhook reference - potential data exfiltration

SourceSKILL.md

382	expected_signature = generate_signature(event, webhook.secret)

low line 392

Webhook reference - potential data exfiltration

SourceSKILL.md

392	# Queue webhook delivery

low line 400

Webhook reference - potential data exfiltration

SourceSKILL.md

400	webhooks = WebhookSubscription.query.filter(

low line 401

Webhook reference - potential data exfiltration

SourceSKILL.md

401	WebhookSubscription.events.contains('order.created'),

low line 402

Webhook reference - potential data exfiltration

SourceSKILL.md

402	WebhookSubscription.active == True

low line 405

Webhook reference - potential data exfiltration

SourceSKILL.md

405	for webhook in webhooks:

low line 406

Webhook reference - potential data exfiltration

SourceSKILL.md

406	deliver_webhook.delay(webhook.id, event)

low line 418

Webhook reference - potential data exfiltration

SourceSKILL.md

418	- Sign all webhooks with HMAC

low line 421

Webhook reference - potential data exfiltration

SourceSKILL.md

421	- Track webhook deliveries for debugging

low line 422

Webhook reference - potential data exfiltration

SourceSKILL.md

422	- Provide webhook test endpoints

low line 432

Webhook reference - potential data exfiltration

SourceSKILL.md

432	- Synchronous webhook delivery

low line 434

Webhook reference - potential data exfiltration

SourceSKILL.md

434	- Expose webhook URLs publicly

low line 436

Webhook reference - potential data exfiltration

SourceSKILL.md

436	- Log webhook payloads with secrets

low line 437

Webhook reference - potential data exfiltration

SourceSKILL.md

437	- Skip webhook authentication

medium line 442

Webhook reference - potential data exfiltration

SourceSKILL.md

442	### 5. Webhook Events

low line 461

Webhook reference - potential data exfiltration

SourceSKILL.md

461	app.get('/api/webhooks/metrics', async (req, res) => {

low line 462

Webhook reference - potential data exfiltration

SourceSKILL.md

462	const total = await WebhookDelivery.countDocuments();

low line 463

Webhook reference - potential data exfiltration

SourceSKILL.md

463	const delivered = await WebhookDelivery.countDocuments({ status: 'delivered' });

low line 464

Webhook reference - potential data exfiltration

SourceSKILL.md

464	const failed = await WebhookDelivery.countDocuments({ status: 'failed' });

low line 465

Webhook reference - potential data exfiltration

SourceSKILL.md

465	const avgLatency = await WebhookDelivery.aggregate([

low line 61

Access to .env file

SourceSKILL.md

61	const WEBHOOK_SECRET = process.env.WEBHOOK_SECRET;

Scanned on Feb 12, 2026

View Security Dashboard

Installation guide →

GitHub Stars 55

Rate this skill

Categorydevelopment

UpdatedMay 21, 2026

openclaw backend backend-developer devops-sre product-manager development product

NeverSight/skills_feed