Stripe Production Engineering
PassAudited by ClawScan on May 1, 2026.
Overview
This is an instruction-only Stripe engineering guide with payment-related examples, but the sensitive behavior shown is disclosed and aligned with its stated purpose.
This skill appears safe to install as documentation, but treat any generated Stripe code as financially sensitive: test first, use restricted keys, verify webhooks and idempotency, and require review before live billing or subscription changes.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If applied carelessly, the user's Stripe credentials could authorize real account changes or live payment operations.
The example integration uses a Stripe secret key, which is expected for server-side Stripe work but gives access to sensitive payment account operations if copied into a real application.
const stripe = new Stripe(process.env.STRIPE_SECRET_KEY!, {Use restricted Stripe keys, keep test and live keys separated, store secrets securely, and review permissions before deploying generated code.
Generated or copied code may create or change billing objects in Stripe if run against a live account.
The skill includes code patterns for creating Stripe customers and checkout sessions, which are mutating payment-system operations but are central to the stated Stripe production engineering purpose.
const customer = await stripe.customers.create({ ... });Run examples in Stripe test mode first, require human review before live billing changes, and keep idempotency and rollback procedures in place.