Stripe Production Engineering
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: afrexai-stripe-production Version: 1.0.0 The skill bundle provides comprehensive, well-structured guidance and code examples for integrating Stripe, covering architecture, subscriptions, webhooks, security, and operations. All code snippets demonstrate best practices, such as using environment variables for API keys, verifying webhook signatures, and implementing idempotency. The instructions for the AI agent are clearly defined and align with the stated purpose of providing Stripe engineering knowledge. There is no evidence of malicious intent, prompt injection attempts to subvert the agent, data exfiltration, or risky vulnerabilities. External links point to the publisher's legitimate GitHub Pages and ClawHub profile.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If applied carelessly, the user's Stripe credentials could authorize real account changes or live payment operations.
The example integration uses a Stripe secret key, which is expected for server-side Stripe work but gives access to sensitive payment account operations if copied into a real application.
const stripe = new Stripe(process.env.STRIPE_SECRET_KEY!, {Use restricted Stripe keys, keep test and live keys separated, store secrets securely, and review permissions before deploying generated code.
Generated or copied code may create or change billing objects in Stripe if run against a live account.
The skill includes code patterns for creating Stripe customers and checkout sessions, which are mutating payment-system operations but are central to the stated Stripe production engineering purpose.
const customer = await stripe.customers.create({ ... });Run examples in Stripe test mode first, require human review before live billing changes, and keep idempotency and rollback procedures in place.