CC3PO Webhook
PassAudited by ClawScan on May 9, 2026.
Overview
This instruction-only skill gives reasonable webhook security guidance and does not install or run code, but users should implement its logging advice carefully.
This looks safe to install as an instruction-only webhook guidance skill. Before using its advice in production, confirm the listing provenance if the metadata mismatch concerns you, and make sure any webhook logging avoids storing secrets or unnecessary personal data.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may want to confirm the listing and author are the intended ones before relying on the skill.
The bundled metadata owner and slug differ from the supplied registry metadata, which lists owner ID kn796r7cqrv3c217kgeqy110rn86dynd and slug cc3po-webhook. This is a provenance/identity inconsistency, but the skill has no install code or executable payload.
"ownerId": "kn73vp5rarc3b14rc7wjcw8f8580t5d1", "slug": "webhook"
Verify the skill listing provenance if author identity matters; no executable install behavior was present in the provided artifacts.
If implemented too broadly, webhook logs could retain sensitive data longer than necessary or expose it to people who can read logs.
The skill recommends storing webhook payloads, delivery attempts, and logs. This is normal for webhook reliability, and it explicitly mentions redaction and bounded retention, but webhook payloads or response bodies can contain sensitive business or user data.
Log full payload on error—helps debugging; redact sensitive fields ... Webhook logs retention: 7-30 days—balance debugging vs storage
Log only what is needed, redact secrets and personal data, restrict log access, and enforce short retention appropriate to the application.