← Back to Skills Marketplace
80
Downloads
0
Stars
2
Active Installs
1
Versions
Install in OpenClaw
/install webhook-automation
Description
Event-driven webhook workflows with HMAC verification, retry logic, and multi-provider patterns. Use when: (1) receiving webhooks from GitHub, Stripe, Slack,...
Usage Guidance
This skill is internally coherent and implements what it claims, but before using it in production you should: (1) ensure you set a strong WEBHOOK_SECRET (do not leave it empty) and store it with restrictive file permissions; (2) update verify_signature to require a secret and fail closed (do not accept requests when no secret is configured); (3) adapt verification to each provider (Slack uses a timestamp + v0= HMAC scheme, GitHub expects sha256=...), and validate timestamps where applicable to prevent replay attacks; (4) avoid logging full payloads (logs can leak secrets or PII) or sanitize sensitive fields; (5) run the server behind TLS/HTTPS and/or a reverse proxy, bind to a restricted interface if you don't want public exposure, and use firewall rules; (6) populate the ROUTES mapping and add robust error handling and retry/backoff logic if you need guaranteed delivery; and (7) consider running this code in an isolated environment (container) and performing a code review before exposing it to public webhook traffic.
Capability Analysis
Type: OpenClaw Skill
Name: webhook-automation
Version: 1.0.0
The skill bundle provides a legitimate and well-documented framework for building webhook servers with security features like HMAC signature verification for GitHub, Stripe, and Slack. The Python scripts (webhook_server.py and handlers.py) follow standard practices for event routing and payload parsing, and the documentation in skill.md focuses on educational implementation rather than malicious exploitation. No evidence of data exfiltration, unauthorized remote execution, or harmful prompt injection was found.
Capability Tags
Capability Assessment
Purpose & Capability
Name/description (webhook verification, routing, retries) align with the included code. The repository contains a minimal HTTP webhook server and handler stubs, and the code only touches a secret file or WEBHOOK_SECRET env var — all are coherent with the stated purpose.
Instruction Scope
SKILL.md and the Python code stay within webhook-handling scope (read request body, verify HMAC, parse JSON, route to handlers). However, the verification function returns True when no secret is configured (insecure default), handlers log payload content (handle_default logs the first 200 chars), the Slack signature handling is oversimplified (Slack uses a timestamped scheme), and the server binds to 0.0.0.0:8443 by default which exposes it to the network. These are functional/security caveats rather than indicators of misdirection.
Install Mechanism
No install spec or external downloads. This is instruction-only with included Python scripts, so nothing is fetched or executed from third-party URLs during install.
Credentials
The code uses a single secret (config/webhook_secret.txt or the WEBHOOK_SECRET env var) which is appropriate for HMAC verification. No unrelated credentials or configuration paths are requested.
Persistence & Privilege
Skill does not request always: true, does not modify other skills or global agent settings, and does not attempt to install persistent agents. It simply runs a server when executed.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install webhook-automation - After installation, invoke the skill by name or use
/webhook-automation - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of webhook-automation skill.
- Provides a Python-based webhook server with HMAC signature verification to ensure request authenticity.
- Supports routing of incoming webhook events to custom handler functions based on event type.
- Includes built-in retry logic for failed deliveries with exponential backoff.
- Protects against spoofed requests by validating provider signatures (e.g., GitHub, Stripe, Slack).
- Allows easy creation and extension of handlers for multiple providers and event types.
Metadata
Frequently Asked Questions
What is webhook-automation?
Event-driven webhook workflows with HMAC verification, retry logic, and multi-provider patterns. Use when: (1) receiving webhooks from GitHub, Stripe, Slack,... It is an AI Agent Skill for Claude Code / OpenClaw, with 80 downloads so far.
How do I install webhook-automation?
Run "/install webhook-automation" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is webhook-automation free?
Yes, webhook-automation is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does webhook-automation support?
webhook-automation is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created webhook-automation?
It is built and maintained by Fuzzyb33s (@fuzzyb33s); the current version is v1.0.0.
More Skills