Stripe
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: stripe-api Version: 1.0.10 The skill bundle provides a standard integration for the Stripe API through a managed proxy service (api.maton.ai). It includes robust security instructions for the AI agent, explicitly requiring user approval for all write operations and financial transactions. No evidence of malicious intent, data exfiltration, or unauthorized execution was found in SKILL.md or the metadata.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If connected with broad Stripe permissions, the agent may be able to view or change important billing and payment data in that Stripe account.
The skill requires delegated Stripe OAuth access, which can grant account-level authority over financial resources. The artifact discloses this and gives least-privilege guidance.
Connect with the least-privileged Stripe account and OAuth scopes available, verify the intended connection ID before each request, and revoke unused connections promptly.
Use a least-privileged Stripe account or restricted OAuth scopes where possible, confirm the connection ID before writes, and revoke unused connections.
Approved write actions could modify customers, subscriptions, invoices, prices, products, or payments in Stripe, including live-mode financial changes.
The skill can perform high-impact Stripe write operations, including payment-related actions, but it explicitly requires detailed approval before execution.
This is a write-capable financial integration for customers, subscriptions, invoices, products, prices, and payments. ... All write operations require explicit user approval showing the exact endpoint, target resource, object IDs, amounts, and test/live mode before execution.
Before approving any write, verify the endpoint, resource IDs, amounts, account connection, and whether the action is in test or live mode.
Stripe requests and responses may be processed through Maton's gateway, so financial metadata and account actions depend on Maton's handling of the connection.
Requests and Stripe OAuth handling pass through Maton's API gateway. This provider-mediated data flow is disclosed and purpose-aligned, but it involves sensitive financial account data.
The gateway proxies requests to `api.stripe.com` and automatically injects your OAuth token.
Install only if you trust Maton as the OAuth/API gateway, and review Maton's connection management and revocation options.
If the external CLI package or distribution channel were compromised, it could affect the user's local environment.
The skill includes user-directed installation of an external global CLI package that is not included in the scanned artifacts. This is expected for the Maton integration but should be trusted separately.
npm install -g @maton-ai/cli
Install the CLI only from the official Maton sources, keep it updated, and use the Python/API examples if you do not want to install a global CLI.