{ "schemaVersion": "1.0", "item": { "slug": "webhook", "name": "Webhook", "source": "tencent", "type": "skill", "category": "通讯协作", "sourceUrl": "https://clawhub.ai/ivangdavila/webhook", "canonicalUrl": "https://clawhub.ai/ivangdavila/webhook", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/webhook", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=webhook", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "SKILL.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-30T16:55:25.780Z", "expiresAt": "2026-05-07T16:55:25.780Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=network", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=network", "contentDisposition": "attachment; filename=\"network-1.0.0.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/webhook" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/webhook", "agentPageUrl": "https://openagent3.xyz/skills/webhook/agent", "manifestUrl": "https://openagent3.xyz/skills/webhook/agent.json", "briefUrl": "https://openagent3.xyz/skills/webhook/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Receiving: Signature Verification", "body": "Always verify HMAC signature—payload can be forged; don't trust without signature\nCommon pattern: HMAC-SHA256(secret, raw_body) compared to header value\nUse raw body bytes—parsed JSON may reorder keys, breaking signature\nTiming-safe comparison—prevent timing attacks on signature check\nReject missing or invalid signature with 401—log for investigation" }, { "title": "Receiving: Replay Prevention", "body": "Check timestamp in payload or header—reject if too old (>5 minutes)\nCombine with signature—timestamp without signature can be forged\nStore processed event IDs—reject duplicates even within time window\nClock skew tolerance: allow 1-2 minutes past—but not hours" }, { "title": "Receiving: Idempotency (Critical)", "body": "Webhooks can arrive multiple times—sender retries on timeout, network issues\nUse event ID for deduplication—store processed IDs in database/Redis\nMake handlers idempotent—same event twice should have same effect\nIdempotency window: keep IDs for 24-72h—balance storage vs protection" }, { "title": "Receiving: Fast Response", "body": "Return 200/202 immediately—process asynchronously in queue\nSenders timeout (5-30s typical)—slow processing = retry = duplicates\nMinimal validation before 200—signature check, then queue\nBackground job for actual processing—failures don't affect acknowledgment" }, { "title": "Receiving: Error Handling", "body": "2xx = success, sender won't retry\n4xx = permanent failure, sender may stop retrying—use for bad signature, unknown event type\n5xx = temporary failure, sender will retry—use for downstream issues\nLog full payload on error—helps debugging; redact sensitive fields" }, { "title": "Sending: Retry Strategy", "body": "Exponential backoff: 1min, 5min, 30min, 2h, 8h—then give up or alert\nCap retries (5-10 attempts)—don't retry forever\nRecord delivery attempts—show status to user\nDifferent retry for 4xx vs 5xx—4xx often means stop retrying" }, { "title": "Sending: Signature Generation", "body": "Include timestamp in signature—prevents replay of captured webhooks\nSign raw JSON body—document exact signing algorithm\nHeader format: t=timestamp,v1=signature—allows versioned signatures\nProvide verification code examples—reduce integration friction" }, { "title": "Sending: Timeouts", "body": "5-10 second timeout—don't wait forever for slow receivers\nTreat timeout as failure—retry later\nDon't follow redirects—or limit to 1-2; prevents redirect loops\nValidate HTTPS certificate—don't skip verification" }, { "title": "Event Design", "body": "Include event type: {\"type\": \"order.created\", ...}—receivers filter by type\nInclude timestamp: ISO 8601 with timezone—for ordering and freshness\nInclude full resource or ID—prefer full data; saves receiver a lookup\nVersion events: api_version field—allows breaking changes" }, { "title": "Delivery Tracking", "body": "Log every attempt: URL, status code, response time, response body\nDashboard for retry queue—let users see pending/failed deliveries\nManual retry button—for stuck webhooks after receiver fix\nWebhook logs retention: 7-30 days—balance debugging vs storage" }, { "title": "Security Checklist", "body": "HTTPS only—never send webhooks to HTTP endpoints\nRotate secrets periodically—support multiple active secrets during rotation\nIP allowlisting optional—document your IP ranges if offered\nDon't include secrets in payload—webhook URL should be secret enough\nRate limit per endpoint—one slow receiver shouldn't affect others" }, { "title": "Common Mistakes", "body": "No signature verification—anyone can POST fake events to your endpoint\nProcessing before responding—timeout causes retries, duplicate processing\nNo idempotency handling—double charges, duplicate records\nTrusting event data blindly—always verify by fetching from source API for critical actions" } ], "body": "Receiving: Signature Verification\nAlways verify HMAC signature—payload can be forged; don't trust without signature\nCommon pattern: HMAC-SHA256(secret, raw_body) compared to header value\nUse raw body bytes—parsed JSON may reorder keys, breaking signature\nTiming-safe comparison—prevent timing attacks on signature check\nReject missing or invalid signature with 401—log for investigation\nReceiving: Replay Prevention\nCheck timestamp in payload or header—reject if too old (>5 minutes)\nCombine with signature—timestamp without signature can be forged\nStore processed event IDs—reject duplicates even within time window\nClock skew tolerance: allow 1-2 minutes past—but not hours\nReceiving: Idempotency (Critical)\nWebhooks can arrive multiple times—sender retries on timeout, network issues\nUse event ID for deduplication—store processed IDs in database/Redis\nMake handlers idempotent—same event twice should have same effect\nIdempotency window: keep IDs for 24-72h—balance storage vs protection\nReceiving: Fast Response\nReturn 200/202 immediately—process asynchronously in queue\nSenders timeout (5-30s typical)—slow processing = retry = duplicates\nMinimal validation before 200—signature check, then queue\nBackground job for actual processing—failures don't affect acknowledgment\nReceiving: Error Handling\n2xx = success, sender won't retry\n4xx = permanent failure, sender may stop retrying—use for bad signature, unknown event type\n5xx = temporary failure, sender will retry—use for downstream issues\nLog full payload on error—helps debugging; redact sensitive fields\nSending: Retry Strategy\nExponential backoff: 1min, 5min, 30min, 2h, 8h—then give up or alert\nCap retries (5-10 attempts)—don't retry forever\nRecord delivery attempts—show status to user\nDifferent retry for 4xx vs 5xx—4xx often means stop retrying\nSending: Signature Generation\nInclude timestamp in signature—prevents replay of captured webhooks\nSign raw JSON body—document exact signing algorithm\nHeader format: t=timestamp,v1=signature—allows versioned signatures\nProvide verification code examples—reduce integration friction\nSending: Timeouts\n5-10 second timeout—don't wait forever for slow receivers\nTreat timeout as failure—retry later\nDon't follow redirects—or limit to 1-2; prevents redirect loops\nValidate HTTPS certificate—don't skip verification\nEvent Design\nInclude event type: {\"type\": \"order.created\", ...}—receivers filter by type\nInclude timestamp: ISO 8601 with timezone—for ordering and freshness\nInclude full resource or ID—prefer full data; saves receiver a lookup\nVersion events: api_version field—allows breaking changes\nDelivery Tracking\nLog every attempt: URL, status code, response time, response body\nDashboard for retry queue—let users see pending/failed deliveries\nManual retry button—for stuck webhooks after receiver fix\nWebhook logs retention: 7-30 days—balance debugging vs storage\nSecurity Checklist\nHTTPS only—never send webhooks to HTTP endpoints\nRotate secrets periodically—support multiple active secrets during rotation\nIP allowlisting optional—document your IP ranges if offered\nDon't include secrets in payload—webhook URL should be secret enough\nRate limit per endpoint—one slow receiver shouldn't affect others\nCommon Mistakes\nNo signature verification—anyone can POST fake events to your endpoint\nProcessing before responding—timeout causes retries, duplicate processing\nNo idempotency handling—double charges, duplicate records\nTrusting event data blindly—always verify by fetching from source API for critical actions" }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/ivangdavila/webhook", "publisherUrl": "https://clawhub.ai/ivangdavila/webhook", "owner": "ivangdavila", "version": "1.0.0", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/webhook", "downloadUrl": "https://openagent3.xyz/downloads/webhook", "agentUrl": "https://openagent3.xyz/skills/webhook/agent", "manifestUrl": "https://openagent3.xyz/skills/webhook/agent.json", "briefUrl": "https://openagent3.xyz/skills/webhook/agent.md" } }