ClawHub

Stripe Webhook Replay Lab

v1.0.0

Replay signed Stripe webhook payloads to a local or staging endpoint for idempotency and retry debugging.

0· 271·0 current·0 all-time
byDaniel Lummis@daniellummis
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The script and SKILL.md implement exactly what the name/description promise (generate Stripe-Signature headers and POST the event payload repeatedly). Required binaries are appropriate for the task. However, registry metadata lists no required environment variables while SKILL.md and the script require STRIPE_WEBHOOK_URL and STRIPE_WEBHOOK_SECRET; this mismatch is unexpected and should have been declared in the metadata.
Instruction Scope
Runtime instructions only load a JSON payload (from a file or env var), compute an HMAC signature with the provided webhook secret, and POST to the user-specified endpoint. The script writes temporary response output to /tmp/stripe-webhook-replay-response.$$ and otherwise does not contact any third-party services. There is no hidden exfiltration, but the tool will send whatever payload you provide (which may contain email/IDs) to whichever URL you set, so pointing it at an untrusted external endpoint could leak test data.
Install Mechanism
This is instruction-only with an included shell script; there is no install step and nothing is downloaded from the network. No archive extraction or remote installs are present.
!
Credentials
The script legitimately needs STRIPE_WEBHOOK_URL and STRIPE_WEBHOOK_SECRET (and optional env vars for payload, counts, timeouts). The registry metadata, however, declares no required env vars — and the skill package does not list STRIPE_WEBHOOK_SECRET as a primary credential. The SKILL.md uses environment variables not listed in the metadata, which can mislead users about what secrets they must provide. Aside from that mismatch, the number and scope of env vars requested are proportional to the functionality.
Persistence & Privilege
The skill does not request persistent privileges, does not set always:true, and does not modify other skills or system-wide config. It runs only when invoked.
What to consider before installing
This script does what it says: it signs a JSON payload with your Stripe webhook secret and posts it to the URL you provide. Before running: (1) Inspect the included script (you already have it) and confirm you are comfortable with it. (2) Do NOT use a production webhook secret or production customer data — prefer test secrets and local/staging endpoints. (3) Be careful what URL you set: the tool will send the payload to any URL, so don't point it at untrusted external endpoints (it could leak test data). (4) Note the registry metadata omission: the package did not declare required env vars; expect to set STRIPE_WEBHOOK_URL and STRIPE_WEBHOOK_SECRET when running. If you need higher assurance, run the script in an isolated environment or container and avoid supplying production secrets.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binsbash, curl, openssl, python3
latestvk973a9adfe5z7mvw316dkff7mh82bmb9
271downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
Daniel Lummis@daniellummis
latest
Download

Stripe Webhook Replay Lab

Use this skill to replay the same signed Stripe webhook event multiple times against your endpoint and validate idempotency behavior.

What this skill does

  • Loads a Stripe event payload from a JSON file or inline env var
  • Generates valid Stripe Stripe-Signature headers using your webhook secret (whsec_...)
  • Replays the exact same payload N times to simulate duplicate deliveries/retries
  • Prints per-attempt HTTP status and latency with a pass/fail summary

Inputs

Required:

  • STRIPE_WEBHOOK_URL (target endpoint)
  • STRIPE_WEBHOOK_SECRET (Stripe endpoint secret used to verify signatures)

Payload source (choose one):

  • STRIPE_EVENT_PATH (default: fixtures/sample-checkout-session-completed.json)
  • STRIPE_EVENT_JSON (inline JSON payload; overrides STRIPE_EVENT_PATH)

Optional:

  • REPLAY_COUNT (default: 2)
  • REPLAY_DELAY_SECONDS (default: 0)
  • REQUEST_TIMEOUT_SECONDS (default: 15)
  • ACCEPT_HTTP_CODES (comma-separated exact HTTP codes accepted as success; default empty = any 2xx)

Run

STRIPE_WEBHOOK_URL=http://localhost:8000/webhooks/stripe \
STRIPE_WEBHOOK_SECRET=whsec_test_123 \
bash scripts/replay-stripe-webhook.sh

Force five duplicate deliveries with a small delay:

STRIPE_WEBHOOK_URL=http://localhost:8000/webhooks/stripe \
STRIPE_WEBHOOK_SECRET=whsec_test_123 \
REPLAY_COUNT=5 \
REPLAY_DELAY_SECONDS=0.2 \
bash scripts/replay-stripe-webhook.sh

Use inline payload JSON:

STRIPE_WEBHOOK_URL=http://localhost:8000/webhooks/stripe \
STRIPE_WEBHOOK_SECRET=whsec_test_123 \
STRIPE_EVENT_JSON='{"id":"evt_test","type":"checkout.session.completed","object":"event","data":{"object":{"id":"cs_test"}}}' \
bash scripts/replay-stripe-webhook.sh

Output contract

  • Prints payload event id/type when available
  • Logs each replay attempt: status code + elapsed milliseconds
  • Exit 0 if all attempts pass success criteria
  • Exit 1 if any attempt fails or inputs are invalid

Comments

Loading comments...