Native Stripe
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This skill appears to call Stripe directly, but it can use a live Stripe secret key to change payments and customer data without tight built-in safeguards.
Install only if you want OpenClaw to access Stripe directly. Use a restricted or test key, review every refund or update before it is run, and remember that command output may include customer and payment details.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or over-broad agent command could issue refunds or alter live Stripe account records, potentially affecting revenue and customers.
The create and update commands accept a free-form Stripe resource and immediately POST to it, rather than restricting mutations to the documented refund/customer-update operations or requiring confirmation.
create_p.add_argument("resource") ... result = stripe_request("POST", args.resource, data=data) ... update_p.add_argument("resource") ... result = stripe_request("POST", f"{args.resource}/{args.id}", data=data)Restrict allowed resources/actions in code, add an explicit confirmation or dry-run for POST operations, and require the user to approve refunds or account-data changes before execution.
Anyone using this skill with a live key lets the agent read Stripe data and perform actions allowed by that key.
The skill requires a Stripe secret key and explicitly shows a live key pattern; this is expected for direct Stripe API access but gives the skill authority over real Stripe account data.
STRIPE_SECRET_KEY=sk_live_... Use `sk_test_...` for test mode.
Prefer a Stripe restricted key with only the needed permissions or use sk_test until you are confident; keep the key private and rotate it if exposed.