This may be me, but it seems like it doesn't validate webhook signatures.

If I configure it with an incorrect webhook secret the requests are still handled as a 200 response. I assume it needs to be passing the X-Hub-Signature, and probably the raw request body, along to probot somewhere?