intercom-security-basics
Applies best practices for securing Intercom tokens and webhooks, ensuring safe integration and data protection.
Install this skill
Security score
The intercom-security-basics skill was audited on May 28, 2026 and we found 29 security issues across 3 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
Curl to non-GitHub URL
| 168 | curl -s https://api.intercom.io/me \ |
Webhook reference - potential data exfiltration
| 3 | description: 'Apply Intercom security best practices for tokens, webhook verification, |
Webhook reference - potential data exfiltration
| 6 | Use when securing access tokens, implementing webhook signature validation, |
Webhook reference - potential data exfiltration
| 12 | "secure intercom", "intercom webhook signature", "intercom token rotation". |
Webhook reference - potential data exfiltration
| 30 | Security best practices for Intercom access tokens, webhook signature verification, Identity Verification (HMAC), and least-privilege OAuth scopes. |
Webhook reference - potential data exfiltration
| 45 | INTERCOM_WEBHOOK_SECRET=your-webhook-signing-secret |
Webhook reference - potential data exfiltration
| 62 | ### Step 2: Webhook Signature Verification (X-Hub-Signature) |
Webhook reference - potential data exfiltration
| 64 | Intercom signs webhook notifications with HMAC-SHA1 using `X-Hub-Signature`. You must verify this on every incoming webhook. |
Webhook reference - potential data exfiltration
| 70 | function verifyIntercomWebhook( |
Webhook reference - potential data exfiltration
| 91 | "/webhooks/intercom", |
Webhook reference - potential data exfiltration
| 100 | if (!verifyIntercomWebhook(req.body, signature, process.env.INTERCOM_WEBHOOK_SECRET!)) { |
Webhook reference - potential data exfiltration
| 105 | // Process verified webhook... |
Webhook reference - potential data exfiltration
| 181 | - [ ] Webhook signatures verified on every request (X-Hub-Signature) |
Webhook reference - potential data exfiltration
| 186 | - [ ] HTTPS enforced for all webhook endpoints |
Webhook reference - potential data exfiltration
| 193 | | Invalid webhook signature | 401 from verification | Check secret matches Developer Hub | |
Webhook reference - potential data exfiltration
| 202 | - [Webhook Notifications](https://developers.intercom.com/docs/webhooks/webhook-notifications) |
Access to .env file
| 43 | # .env (NEVER commit to git) |
Access to .env file
| 49 | .env |
Access to .env file
| 50 | .env.local |
Access to .env file
| 51 | .env.*.local |
Access to .env file
| 100 | if (!verifyIntercomWebhook(req.body, signature, process.env.INTERCOM_WEBHOOK_SECRET!)) { |
Access to .env file
| 121 | .createHmac("sha256", process.env.INTERCOM_IDENTITY_SECRET!) |
Access to .env file
| 130 | app_id: process.env.INTERCOM_APP_ID, |
Access to .env file
| 179 | - [ ] `.env` files in `.gitignore` |
External URL reference
| 168 | curl -s https://api.intercom.io/me \ |
External URL reference
| 200 | - [Authentication](https://developers.intercom.com/docs/build-an-integration/learn-more/authentication) |
External URL reference
| 201 | - [OAuth Scopes](https://developers.intercom.com/docs/build-an-integration/learn-more/authentication/oauth-scopes) |
External URL reference
| 202 | - [Webhook Notifications](https://developers.intercom.com/docs/webhooks/webhook-notifications) |
External URL reference
| 203 | - [Identity Verification](https://developers.intercom.com/installing-intercom/web/identity-verification) |