Security audit

Stripe Direct Connection

Security checks across malware telemetry and agentic risk

Overview

This Stripe skill is coherent and not malware, but it gives agents broad financial write access without clear confirmation safeguards for high-impact actions.

Install only for agents that are allowed to act on your Stripe account. Use restricted Stripe credentials where possible, prefer test mode first, and require an explicit human approval step before refunds, subscription cancellations or changes, invoice finalization, coupon campaigns, and dispute submissions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (6)

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The activation keywords are broad, commercial-task-oriented phrases that could cause an agent to invoke this skill in situations where the user did not explicitly request Stripe actions. Because the skill exposes high-impact financial write operations such as refunds, subscription cancellation, coupon creation, and invoice finalization, ambiguous routing increases the chance of unauthorized or unintended financial actions.

Missing User Warnings

High

Confidence: 93% confidence
Finding: The skill advertises broad read/write control over Stripe resources, including destructive financial operations, without prominently warning that actions can issue refunds, cancel subscriptions, alter billing, or submit dispute evidence. In an agentic environment, missing warnings and approval requirements materially increase the risk of irreversible business-impacting actions being performed on the wrong customer, subscription, or payment object.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill exposes destructive billing actions like subscription cancellation without requiring or prominently documenting confirmation, authorization, or user-warning steps. In an agentic context, ambiguous or prompt-injected requests could cause irreversible service disruption, revenue loss, or unauthorized account changes.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: Refunds move money and can directly create financial loss, but the schema provides no prominent warning or confirmation guidance before triggering them. An agent using this skill could issue unauthorized or mistaken refunds from vague instructions, social engineering, or prompt injection affecting support workflows.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: Finalizing an invoice commits billing state and can trigger downstream collection or customer-facing obligations, yet the tool description omits any caution about that effect. In a high-privilege billing skill, lack of warning increases the chance of accidental invoicing or premature financial commitment by an autonomous or semi-autonomous agent.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The dispute update tool can immediately submit evidence to a bank when `submit=true`, but the schema does not foreground the legal, financial, and irreversible workflow implications. This creates risk of accidental submission of inaccurate, incomplete, or sensitive evidence, potentially harming dispute outcomes or disclosing unnecessary customer information.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal