Back to skill
Skillv1.0.1
ClawScan security
Native Stripe · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 24, 2026, 10:18 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill’s code, instructions, and required environment variables are consistent with its stated purpose (direct Stripe API access) and do not request unrelated credentials or external endpoints.
- Guidance
- This skill appears to do what it claims: run a bundled Python script that calls Stripe directly. Before installing, consider: 1) Use a restricted or test API key (sk_test_...) rather than your live key when possible; Stripe supports restricted keys with limited permissions—prefer least privilege. 2) Treat STRIPE_SECRET_KEY as highly sensitive: don’t paste it into untrusted places and rotate it if you suspect exposure. 3) Review the bundled script yourself (it’s small and uses only the Python stdlib over HTTPS). 4) Run the skill in a trusted environment (not a shared or public machine). 5) If you need reduced risk, avoid granting live keys and instead create a read-only or restricted key for the operations you need.
Review Dimensions
- Purpose & Capability
- okThe name/description match the behavior: the skill runs a Python script that calls api.stripe.com. It only requires python3 and STRIPE_SECRET_KEY, which are appropriate for interacting with Stripe.
- Instruction Scope
- okSKILL.md instructs only running the included script and setting STRIPE_SECRET_KEY. The script makes HTTPS requests directly to api.stripe.com, prints results, and does not read or transmit unrelated local files or call other external endpoints.
- Install Mechanism
- okNo install spec — this is instruction + bundled script only. No downloads or third-party package installs are performed, lowering install-time risk.
- Credentials
- okOnly STRIPE_SECRET_KEY is required and declared as primaryEnv. That is proportionate for a Stripe-management tool. Note: the secret key grants broad access to the Stripe account and should be treated and scoped carefully.
- Persistence & Privilege
- okalways is false (no forced inclusion). The skill does not modify other skills or system-wide settings and does not request permanent presence beyond normal skill files.