Hookflo Webhooks
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only skill appears purpose-aligned for webhook verification and Hookflo setup, with normal cautions around webhook secrets, npm package installation, and sending webhook data to a hosted alerting/logging service.
This skill looks reasonable for webhook help. Before using the Hookflo hosted workflow, confirm that the webhook payloads are allowed to be sent to Hookflo and notification channels, keep signing secrets out of prompts and source control, and verify the @hookflo/tern package before installing it.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Webhook payloads can contain customer, payment, account, or operational data that may become visible to Hookflo and notification recipients.
The skill may guide users to send webhook events through a hosted service and onward to Slack or email, which creates an external data flow for webhook payloads.
Hookflo — a hosted webhook event alerting and logging platform. Sends real-time Slack/email alerts when webhooks fire... you point your provider at Hookflo's URL
Only route webhook events to Hookflo and Slack/email if that is acceptable for the data involved; review retention, access controls, and compliance requirements first.
If these secrets are pasted into chat, logged, or exposed in code, attackers could potentially forge or validate webhook traffic depending on the provider.
The skill references webhook signing secrets and tokens used to verify incoming events. These are expected for webhook security, but they are still sensitive configuration values.
STRIPE_WEBHOOK_SECRET... GITHUB_WEBHOOK_SECRET... CLERK_WEBHOOK_SECRET... SUPABASE_WEBHOOK_TOKEN
Keep webhook secrets in environment variables or a secrets manager, avoid sharing them in prompts, and rotate them if they may have been exposed.
Installing a package adds third-party code to the user’s project environment.
The skill instructs users to install an external npm package. This is central to the stated Tern webhook-verification purpose, but it is still a normal supply-chain dependency to verify.
npm install @hookflo/tern
Verify the package name and source, use normal dependency review practices, and pin versions where appropriate.