Stripe Production Engineering
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is an instruction-only Stripe engineering guide with payment-related examples, but the sensitive behavior shown is disclosed and aligned with its stated purpose.
This skill appears safe to install as documentation, but treat any generated Stripe code as financially sensitive: test first, use restricted keys, verify webhooks and idempotency, and require review before live billing or subscription changes.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
50/50 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If applied carelessly, the user's Stripe credentials could authorize real account changes or live payment operations.
The example integration uses a Stripe secret key, which is expected for server-side Stripe work but gives access to sensitive payment account operations if copied into a real application.
const stripe = new Stripe(process.env.STRIPE_SECRET_KEY!, {Use restricted Stripe keys, keep test and live keys separated, store secrets securely, and review permissions before deploying generated code.
Generated or copied code may create or change billing objects in Stripe if run against a live account.
The skill includes code patterns for creating Stripe customers and checkout sessions, which are mutating payment-system operations but are central to the stated Stripe production engineering purpose.
const customer = await stripe.customers.create({ ... });Run examples in Stripe test mode first, require human review before live billing changes, and keep idempotency and rollback procedures in place.