Stripe Production Engineering
v1.0.0Provides best practices and code patterns for building, scaling, and operating production Stripe payment systems from checkout to enterprise billing.
⭐ 0· 426·1 current·1 all-time
by@1kalin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name, description, README, and SKILL.md consistently describe Stripe production engineering guidance (checkout, subscriptions, webhooks, Connect, PCI guidance). The code snippets and recommended practices align with the stated purpose; nothing in the content appears unrelated to Stripe payment systems.
Instruction Scope
SKILL.md contains extensive runtime guidance and code examples that are scoped to Stripe integration (webhook handlers, idempotency, customer lifecycle). It does not instruct the agent to read unrelated system files, exfiltrate data, or call unexpected external endpoints. However the examples assume use of environment variables (e.g., process.env.STRIPE_SECRET_KEY) and a DB (db.users) — the registry does not declare those env vars or any required config paths, which is an inconsistency to be aware of.
Install Mechanism
This is an instruction-only skill with no install spec and no code files to write or run. That is the lowest-risk install profile. (Note: README suggests a 'clawhub install' command, but the registry shows no install spec — a benign mismatch in metadata, not an active install risk.)
Credentials
The SKILL.md uses and expects Stripe credentials (STRIPE_SECRET_KEY) and other runtime inputs (DB access, webhook endpoints), but the registry metadata lists no required environment variables or primary credential. If you enable the skill for autonomous use or run its examples, you would need to supply Stripe secrets — the registry should have declared this. The omission increases risk because users may not realize what secrets the skill expects or how the agent might use them. Ensure any Stripe key provided is a restricted key with minimal permissions and not an account-wide secret.
Persistence & Privilege
The skill does not request persistent/always-on inclusion (always: false) and does not attempt to modify other skills or system-wide settings. It uses the normal, expected autonomous-invocation defaults. No elevated privileges are declared.
What to consider before installing
This skill is largely coherent and appears to be a Stripe best-practices guide, but it references runtime secrets and infrastructure (e.g., STRIPE_SECRET_KEY, DB mappings, webhook endpoints) that are not declared in the registry. Before installing or enabling it: 1) Treat the skill as documentation/code snippets — it will not run anything by itself, but if you follow its guidance or let an agent act on it, you will need to provide Stripe credentials. 2) Never paste a full live secret into chat — use restricted API keys (limited permissions, single-purpose), and rotate keys after testing. 3) Verify the source/author (owner slug and external links are present in README but the registry 'source' is unknown); prefer installing skills from known/trusted authors. 4) Test any generated code in a safe sandbox (test-mode Stripe keys) before using live keys. 5) If you plan to let the agent act autonomously, supply only the minimal permissions it needs (for example, a restricted key that cannot perform refunds or account-wide changes) and monitor logs for unexpected API calls.Like a lobster shell, security has layers — review code before you run it.
afrexaivk979ak0sdf2kzc54ky29hz2m0s81j7tkbillingvk979ak0sdf2kzc54ky29hz2m0s81j7tklatestvk979ak0sdf2kzc54ky29hz2m0s81j7tkpaymentsvk979ak0sdf2kzc54ky29hz2m0s81j7tksaasvk979ak0sdf2kzc54ky29hz2m0s81j7tkstripevk979ak0sdf2kzc54ky29hz2m0s81j7tksubscriptionsvk979ak0sdf2kzc54ky29hz2m0s81j7tkwebhooksvk979ak0sdf2kzc54ky29hz2m0s81j7tk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.