ClawHub

Native Stripe

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says by connecting directly to Stripe, but it gives an agent live payment-system authority with weak guardrails around refunds, customer updates, and broad API access.

Review before installing. Use a Stripe test key or restricted key where possible, do not expose live secret keys in logs or chats, and require explicit human approval before any command that creates refunds, updates customers, or sends POST requests to Stripe.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill requires a Stripe secret key and makes direct network calls to api.stripe.com, but the manifest does not declare permissions commensurate with those capabilities. That weakens reviewability and least-privilege controls because users may not realize the skill can access sensitive credentials and perform live external actions against a payment system.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose is narrower than the apparent command surface: it omits balance_transactions and understates that generic get/create/update entry points may operate on arbitrary resources or IDs. In a Stripe context, that mismatch is dangerous because operators may approve or invoke the skill expecting limited read-only or narrowly scoped actions, while the tool can reach broader financial data and potentially perform unintended mutations.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly documents destructive actions such as creating refunds and updating customers, including examples that appear ready to run against live Stripe data, but it does not warn users about irreversible or production-impacting consequences. In a payments skill, this omission increases the chance of accidental refunds or unintended customer record changes, especially because the same document also encourages use of live secret keys.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README tells users to export a Stripe secret key, including a live production key format, without emphasizing that this credential grants broad privileged API access and must be handled as a sensitive secret. This can lead to unsafe storage in shell history, screenshots, shared terminals, logs, or accidental disclosure, which would enable unauthorized access to payment data and account operations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The setup instructions encourage use of a live Stripe secret key without prominent warnings about production impact, secret handling, or preferring test mode first. Because Stripe secret keys can read and mutate customer and payment data, casual setup against sk_live can cause real financial actions, privacy exposure, and accidental changes in production.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The create and update paths perform live state-changing operations against Stripe, including creating refunds and modifying customer records, with no confirmation, dry-run mode, or resource allowlist. In an agent context, this increases the chance of accidental or unauthorized remote changes if invoked with mistaken or manipulated arguments.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal