webhook-processor
Facilitates the creation of robust webhook processing systems with features like retry logic and signature verification.
Install this skill
Security score
The webhook-processor skill was audited on Mar 7, 2026 and we found 26 security issues across 2 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 115 | console.error(`Dead letter: job ${job.id} — ${err.message}`); |
Webhook reference - potential data exfiltration
| 2 | name: webhook-processor |
Webhook reference - potential data exfiltration
| 4 | Build and configure webhook processing systems with retry logic, signature |
Webhook reference - potential data exfiltration
| 6 | and reliably process incoming webhooks from payment providers, version control |
Webhook reference - potential data exfiltration
| 7 | platforms, or third-party APIs. Trigger words: webhook, callback URL, event |
Webhook reference - potential data exfiltration
| 15 | tags: ["webhooks", "retry-logic", "event-driven", "idempotency"] |
Webhook reference - potential data exfiltration
| 18 | # Webhook Processor |
Webhook reference - potential data exfiltration
| 21 | This skill helps you build production-grade webhook ingestion endpoints that accept incoming HTTP callbacks, verify their authenticity, and process them reliably with exponential backoff retries and d |
Webhook reference - potential data exfiltration
| 25 | ### 1. Scaffold the webhook endpoint |
Webhook reference - potential data exfiltration
| 26 | Create an HTTP endpoint that accepts POST requests. Immediately return a 200 status before processing — webhook senders expect fast acknowledgment. |
Webhook reference - potential data exfiltration
| 29 | // webhook-receiver.ts |
Webhook reference - potential data exfiltration
| 37 | const webhookQueue = new Queue("webhooks", { |
Webhook reference - potential data exfiltration
| 41 | app.post("/webhooks/:source", async (req, res) => { |
Webhook reference - potential data exfiltration
| 47 | await webhookQueue.add( |
Webhook reference - potential data exfiltration
| 67 | ### 2. Verify webhook signatures |
Webhook reference - potential data exfiltration
| 97 | "webhooks", |
Webhook reference - potential data exfiltration
| 102 | throw new Error("Invalid webhook signature — will not retry"); |
Webhook reference - potential data exfiltration
| 136 | ### Example 1: Payment provider webhook |
Webhook reference - potential data exfiltration
| 137 | **Prompt:** "Set up a webhook endpoint to receive payment events. It should verify HMAC-SHA256 signatures, retry failed processing up to 5 times with exponential backoff, and log dead letter events." |
Webhook reference - potential data exfiltration
| 140 | - Creates `src/webhooks/payment-handler.ts` with signature verification using the provider's signing secret |
Webhook reference - potential data exfiltration
| 145 | ### Example 2: Version control platform webhook |
Webhook reference - potential data exfiltration
| 146 | **Prompt:** "Build a webhook handler for repository push events that triggers CI builds. Include idempotency so duplicate deliveries don't start duplicate builds." |
Webhook reference - potential data exfiltration
| 149 | - Creates `src/webhooks/repo-handler.ts` that validates the event type and extracts commit SHA |
Webhook reference - potential data exfiltration
| 156 | - **Always return 200 immediately** — process asynchronously. Webhook senders timeout after 5-30 seconds and will retry, causing duplicates. |
Webhook reference - potential data exfiltration
| 161 | - **Rate limit your worker** to avoid overwhelming downstream services during webhook storms. |
Webhook reference - potential data exfiltration
| 162 | - **Handle schema changes** gracefully — webhook payloads evolve. Use optional chaining and validate required fields explicitly. |
Install this skill with one command
/learn @terminalskills/webhook-processor