Skylv Webhook Workflow Builder
AdvisoryAudited by Static analysis on May 6, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Webhook payloads may be forwarded to downstream endpoints, so misconfigured routes could send event data to the wrong service.
The skill is designed to move webhook payloads between systems, which is expected for webhook automation but creates data-boundary considerations.
- **Routing Rules**: Route webhooks to different endpoints based on conditions
Only route webhooks to trusted endpoints, verify signatures, and confirm what payload data is shared before enabling routes.
Webhook logs could contain sensitive business, payment, form, or repository event information.
The skill describes retaining delivery history, which is useful for webhook management but may store sensitive event details depending on payloads.
- **Logging**: Full webhook delivery history and status
Configure log retention, access controls, and redaction for sensitive webhook payload fields.
A bad webhook rule or failing endpoint could cause repeated downstream calls.
Automatic retries are normal for webhook systems, but repeated delivery attempts can amplify misrouted or malformed events if workflow rules are wrong.
- **Retry Handling**: Automatic retries for failed deliveries
Use retry limits, dead-letter handling, event filtering, and manual review for high-impact workflows.
Users may need to provide their own runtime and public endpoint setup outside the registry-declared requirements.
The skill documents runtime/network requirements, but the registry has no install spec or declared required binaries. This is not suspicious by itself, but users should notice the setup requirements.
## Requirements - Node.js 18+ - Public URL for webhook reception (ngrok, etc.)
Review any runtime, tunnel, or webhook-hosting setup you create for this skill, and avoid exposing local services without authentication and signature validation.