No Webhook Signature Verification (Critical Security Vulnerability)

Like Repo 032, this bot does not verify the `X-Hub-Signature` header on incoming POST requests. The entire message handling pipeline can be triggered by any HTTP client that posts valid-looking JSON to the webhook endpoint. Combined with the fact that the bot may take real actions (sending messages, triggering integrations), this is a critical unauthenticated remote-trigger vulnerability.