# Send Webhook to your agent
Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.
## Fast path
- Download the package from Yavira.
- Extract it into a folder your agent can access.
- Paste one of the prompts below and point your agent at the extracted folder.
## Suggested prompts
### New install

```text
I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete.
```
### Upgrade existing

```text
I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run.
```
## Machine-readable fields
```json
{
  "schemaVersion": "1.0",
  "item": {
    "slug": "webhook",
    "name": "Webhook",
    "source": "tencent",
    "type": "skill",
    "category": "通讯协作",
    "sourceUrl": "https://clawhub.ai/ivangdavila/webhook",
    "canonicalUrl": "https://clawhub.ai/ivangdavila/webhook",
    "targetPlatform": "OpenClaw"
  },
  "install": {
    "downloadUrl": "/downloads/webhook",
    "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=webhook",
    "sourcePlatform": "tencent",
    "targetPlatform": "OpenClaw",
    "packageFormat": "ZIP package",
    "primaryDoc": "SKILL.md",
    "includedAssets": [
      "SKILL.md"
    ],
    "downloadMode": "redirect",
    "sourceHealth": {
      "source": "tencent",
      "slug": "webhook",
      "status": "healthy",
      "reason": "direct_download_ok",
      "recommendedAction": "download",
      "checkedAt": "2026-05-01T19:06:37.978Z",
      "expiresAt": "2026-05-08T19:06:37.978Z",
      "httpStatus": 200,
      "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=webhook",
      "contentType": "application/zip",
      "probeMethod": "head",
      "details": {
        "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=webhook",
        "contentDisposition": "attachment; filename=\"webhook-1.0.0.zip\"",
        "redirectLocation": null,
        "bodySnippet": null,
        "slug": "webhook"
      },
      "scope": "item",
      "summary": "Item download looks usable.",
      "detail": "Yavira can redirect you to the upstream package for this item.",
      "primaryActionLabel": "Download for OpenClaw",
      "primaryActionHref": "/downloads/webhook"
    },
    "validation": {
      "installChecklist": [
        "Use the Yavira download entry.",
        "Review SKILL.md after the package is downloaded.",
        "Confirm the extracted package contains the expected setup assets."
      ],
      "postInstallChecks": [
        "Confirm the extracted package includes the expected docs or setup files.",
        "Validate the skill or prompts are available in your target agent workspace.",
        "Capture any manual follow-up steps the agent could not complete."
      ]
    }
  },
  "links": {
    "detailUrl": "https://openagent3.xyz/skills/webhook",
    "downloadUrl": "https://openagent3.xyz/downloads/webhook",
    "agentUrl": "https://openagent3.xyz/skills/webhook/agent",
    "manifestUrl": "https://openagent3.xyz/skills/webhook/agent.json",
    "briefUrl": "https://openagent3.xyz/skills/webhook/agent.md"
  }
}
```
## Documentation

### Receiving: Signature Verification

Always verify HMAC signature—payload can be forged; don't trust without signature
Common pattern: HMAC-SHA256(secret, raw_body) compared to header value
Use raw body bytes—parsed JSON may reorder keys, breaking signature
Timing-safe comparison—prevent timing attacks on signature check
Reject missing or invalid signature with 401—log for investigation

### Receiving: Replay Prevention

Check timestamp in payload or header—reject if too old (>5 minutes)
Combine with signature—timestamp without signature can be forged
Store processed event IDs—reject duplicates even within time window
Clock skew tolerance: allow 1-2 minutes past—but not hours

### Receiving: Idempotency (Critical)

Webhooks can arrive multiple times—sender retries on timeout, network issues
Use event ID for deduplication—store processed IDs in database/Redis
Make handlers idempotent—same event twice should have same effect
Idempotency window: keep IDs for 24-72h—balance storage vs protection

### Receiving: Fast Response

Return 200/202 immediately—process asynchronously in queue
Senders timeout (5-30s typical)—slow processing = retry = duplicates
Minimal validation before 200—signature check, then queue
Background job for actual processing—failures don't affect acknowledgment

### Receiving: Error Handling

2xx = success, sender won't retry
4xx = permanent failure, sender may stop retrying—use for bad signature, unknown event type
5xx = temporary failure, sender will retry—use for downstream issues
Log full payload on error—helps debugging; redact sensitive fields

### Sending: Retry Strategy

Exponential backoff: 1min, 5min, 30min, 2h, 8h—then give up or alert
Cap retries (5-10 attempts)—don't retry forever
Record delivery attempts—show status to user
Different retry for 4xx vs 5xx—4xx often means stop retrying

### Sending: Signature Generation

Include timestamp in signature—prevents replay of captured webhooks
Sign raw JSON body—document exact signing algorithm
Header format: t=timestamp,v1=signature—allows versioned signatures
Provide verification code examples—reduce integration friction

### Sending: Timeouts

5-10 second timeout—don't wait forever for slow receivers
Treat timeout as failure—retry later
Don't follow redirects—or limit to 1-2; prevents redirect loops
Validate HTTPS certificate—don't skip verification

### Event Design

Include event type: {"type": "order.created", ...}—receivers filter by type
Include timestamp: ISO 8601 with timezone—for ordering and freshness
Include full resource or ID—prefer full data; saves receiver a lookup
Version events: api_version field—allows breaking changes

### Delivery Tracking

Log every attempt: URL, status code, response time, response body
Dashboard for retry queue—let users see pending/failed deliveries
Manual retry button—for stuck webhooks after receiver fix
Webhook logs retention: 7-30 days—balance debugging vs storage

### Security Checklist

HTTPS only—never send webhooks to HTTP endpoints
Rotate secrets periodically—support multiple active secrets during rotation
IP allowlisting optional—document your IP ranges if offered
Don't include secrets in payload—webhook URL should be secret enough
Rate limit per endpoint—one slow receiver shouldn't affect others

### Common Mistakes

No signature verification—anyone can POST fake events to your endpoint
Processing before responding—timeout causes retries, duplicate processing
No idempotency handling—double charges, duplicate records
Trusting event data blindly—always verify by fetching from source API for critical actions
## Trust
- Source: tencent
- Verification: Indexed source record
- Publisher: ivangdavila
- Version: 1.0.0
## Source health
- Status: healthy
- Item download looks usable.
- Yavira can redirect you to the upstream package for this item.
- Health scope: item
- Reason: direct_download_ok
- Checked at: 2026-05-01T19:06:37.978Z
- Expires at: 2026-05-08T19:06:37.978Z
- Recommended action: Download for OpenClaw
## Links
- [Detail page](https://openagent3.xyz/skills/webhook)
- [Send to Agent page](https://openagent3.xyz/skills/webhook/agent)
- [JSON manifest](https://openagent3.xyz/skills/webhook/agent.json)
- [Markdown brief](https://openagent3.xyz/skills/webhook/agent.md)
- [Download page](https://openagent3.xyz/downloads/webhook)