Stripe Webhook Replay Lab
Security checks across malware telemetry and agentic risk
Overview
The skill appears to do its stated webhook replay job, but it uses a Stripe webhook signing secret and sends repeated signed POST requests to the URL you provide, so keep it to local or staging targets.
This looks like a straightforward local/staging Stripe webhook replay helper. Before installing or running it, verify the target URL, use a test webhook secret where possible, avoid production unless you intend to exercise real business logic, and keep replay counts controlled.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If pointed at production or given a large replay count, it could create duplicate application events or other business-side effects.
The script deliberately sends the same payload repeatedly to the configured endpoint. This matches the stated replay/debugging purpose, but it can trigger endpoint-side side effects if aimed at a real service.
for ((i=1; i<=REPLAY_COUNT; i++)); do ... curl ... -X POST "$STRIPE_WEBHOOK_URL" ... --data "$payload"
Use only local, staging, or test endpoints unless you have explicitly reviewed the impact; keep REPLAY_COUNT small and confirm the target URL before running.
Exposure of the webhook secret could let someone generate signed webhook requests accepted by your application.
The webhook secret is used to generate Stripe-Signature headers. This is expected for a replay tool, but the secret can authenticate spoofed webhook payloads to the user's endpoint if mishandled.
signature="$(printf '%s' "$signed_payload" | openssl dgst -sha256 -hmac "$STRIPE_WEBHOOK_SECRET" | sed 's/^.*= //')"
Prefer test or staging webhook secrets, avoid sharing terminal transcripts or environment dumps, and rotate the secret if it may have been exposed.