v1.0.0

Webhook

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:31 AM.

Analysis

This is an instruction-only webhook best-practices skill with no code or credentials; the main thing to watch is careful handling of webhook logs.

GuidanceThis skill appears safe as guidance-only webhook documentation. Before using its recommendations in production, make sure webhook payload and response logging is minimized, redacted, access-controlled, and retained only as long as needed.

Findings (1)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

SKILL.md

Log full payload on error—helps debugging; redact sensitive fields ... Log every attempt: URL, status code, response time, response body ... Webhook logs retention: 7-30 days

The skill recommends retaining webhook payloads, response bodies, and delivery logs. That is useful and purpose-aligned for debugging and reliability, and it explicitly mentions redaction, but webhook logs can contain sensitive customer or business data.

User impactIf implemented too broadly, webhook logs could retain private event data, URLs, or response contents longer than necessary.

RecommendationLog only what is needed, redact secrets and personal data, restrict log access, and set retention periods appropriate to the sensitivity of the webhook data.