Webhook
PassAudited by ClawScan on May 1, 2026.
Overview
This is an instruction-only webhook best-practices skill with no code or credentials; the main thing to watch is careful handling of webhook logs.
This skill appears safe as guidance-only webhook documentation. Before using its recommendations in production, make sure webhook payload and response logging is minimized, redacted, access-controlled, and retained only as long as needed.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If implemented too broadly, webhook logs could retain private event data, URLs, or response contents longer than necessary.
The skill recommends retaining webhook payloads, response bodies, and delivery logs. That is useful and purpose-aligned for debugging and reliability, and it explicitly mentions redaction, but webhook logs can contain sensitive customer or business data.
Log full payload on error—helps debugging; redact sensitive fields ... Log every attempt: URL, status code, response time, response body ... Webhook logs retention: 7-30 days
Log only what is needed, redact secrets and personal data, restrict log access, and set retention periods appropriate to the sensitivity of the webhook data.