stripe-integration-expert
ReviewAudited by ClawScan on May 10, 2026.
Overview
This Stripe billing skill is relevant to its stated purpose, but a visible production checkout example uses a client-supplied price ID without shown validation, which could lead to billing mistakes or abuse if copied directly.
Use this skill as billing implementation guidance only after careful review. Before deploying any generated Stripe code, ensure plans and price IDs are validated on the server, subscription changes are authorized for the current user, Stripe secret keys stay server-side, and the final implementation is tested against Stripe's official docs.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If copied directly into production, users could potentially create checkout sessions for unintended plans or prices, causing incorrect billing or business logic abuse.
The checkout example takes a price ID from the request body and passes it into Stripe checkout without showing validation against the server-side PLANS list or other allowlist. For billing code, that is a high-impact user-controlled argument.
const { priceId, interval = "monthly" } = await req.json()
...
line_items: [{ price: priceId, quantity: 1 }]Validate the requested plan and interval server-side, map them to known Stripe price IDs, ignore raw client-supplied price IDs, and add explicit authorization and ownership checks before any subscription mutation.
A leaked or client-exposed Stripe secret key could allow unauthorized billing, customer, or subscription operations.
The examples require a Stripe secret key, which is expected for server-side Stripe integrations but grants broad authority over billing resources if mishandled.
export const stripe = new Stripe(process.env.STRIPE_SECRET_KEY!, {Keep Stripe secret keys only on the server, prefer restricted keys where possible, use test mode while developing, and never expose secret keys in client-side code or logs.
Users have less external context for verifying the author's guidance or comparing it against maintained documentation.
The skill has no linked source or homepage. Because it is instruction-only with no installable code, this is a provenance limitation rather than evidence of hidden execution.
Source: unknown Homepage: none
Cross-check any billing implementation guidance against Stripe's official documentation and review the generated code before deploying.