Skip to main content

val-town

Enables instant deployment of server-side TypeScript functions for quick API endpoints, cron jobs, and webhook handling without infrastructure.

Install this skill

or
36/100

Security score

The val-town skill was audited on Mar 7, 2026 and we found 24 security issues across 4 threat categories. Review the findings below before installing.

Categories Tested

Security Issues

medium line 44

Template literal with variable interpolation in command context

SourceSKILL.md
44return Response.json({ message: `Hello, ${name}!` });
medium line 70

Template literal with variable interpolation in command context

SourceSKILL.md
70text: `📊 Daily Report: ${stats.users} users, ${stats.revenue} revenue`,
low line 63

Fetch to external URL

SourceSKILL.md
63const response = await fetch("https://api.example.com/stats");
low line 133

Fetch to external URL

SourceSKILL.md
133await fetch("https://api.myapp.com/activate", {
medium line 6

Webhook reference - potential data exfiltration

SourceSKILL.md
6"quick API endpoint", "webhook handler", "cron job in the cloud", "Val Town",
medium line 26

Webhook reference - potential data exfiltration

SourceSKILL.md
26- Need a quick API endpoint or webhook handler (minutes, not hours)
medium line 29

Webhook reference - potential data exfiltration

SourceSKILL.md
29- Webhook receivers for Stripe, GitHub, Slack integrations
low line 67

Webhook reference - potential data exfiltration

SourceSKILL.md
67await fetch(Deno.env.get("SLACK_WEBHOOK")!, {
medium line 116

Webhook reference - potential data exfiltration

SourceSKILL.md
116### Webhook Handler
low line 119

Webhook reference - potential data exfiltration

SourceSKILL.md
119// @user/stripeWebhook — Handle Stripe webhooks
low line 124

Webhook reference - potential data exfiltration

SourceSKILL.md
124// Verify webhook signature
low line 126

Webhook reference - potential data exfiltration

SourceSKILL.md
126const secret = Deno.env.get("STRIPE_WEBHOOK_SECRET");
medium line 157

Webhook reference - potential data exfiltration

SourceSKILL.md
157### Example 2: GitHub webhook to Slack
medium line 161

Webhook reference - potential data exfiltration

SourceSKILL.md
161The agent will create an HTTP val that handles GitHub webhook events, filters for star events, and posts to a Slack webhook URL.
medium line 173

Webhook reference - potential data exfiltration

SourceSKILL.md
173- **Not for production traffic** — great for webhooks, cron, prototypes; use proper infra for high-traffic APIs
low line 67

Access to .env file

SourceSKILL.md
67await fetch(Deno.env.get("SLACK_WEBHOOK")!, {
low line 125

Access to .env file

SourceSKILL.md
125// In Val Town, use Deno.env.get() for secrets
low line 126

Access to .env file

SourceSKILL.md
126const secret = Deno.env.get("STRIPE_WEBHOOK_SECRET");
medium line 166

Access to .env file

SourceSKILL.md
166- **Environment variables via `Deno.env.get()`** — store secrets in Val Town settings
low line 38

External URL reference

SourceSKILL.md
38// @user/myApi — Deployed instantly at https://user-myapi.web.val.run
low line 63

External URL reference

SourceSKILL.md
63const response = await fetch("https://api.example.com/stats");
low line 80

External URL reference

SourceSKILL.md
80import { sqlite } from "https://esm.town/v/std/sqlite";
low line 133

External URL reference

SourceSKILL.md
133await fetch("https://api.myapp.com/activate", {
low line 169

External URL reference

SourceSKILL.md
169- **Import from URLs** — `import { x } from "https://esm.town/v/user/module"`
Scanned on Mar 7, 2026
View Security Dashboard

Install this skill with one command

/learn @terminalskills/val-town
GitHub Stars 10
Rate this skill
Categorydevelopment
UpdatedMarch 29, 2026
openclawbackendbackend-developerproduct-managergrowth-pmdevops-sredata-engineerdevelopmentproduct
TerminalSkills/skills