Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Stripe Setup
v1.0.0Add Stripe payments to any agent-built app. Covers checkout sessions, subscription billing, webhook handling, customer portal, and test-mode validation. Use...
⭐ 0· 45·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's name, description, SKILL.md, and included helper module all focus on Stripe payments and require Stripe API keys and webhook secrets — that is coherent with the stated purpose. However the registry metadata claims 'Required env vars: none' and 'Primary credential: none', which contradicts the SKILL.md and code that clearly require STRIPE_SECRET_KEY, STRIPE_PUBLISHABLE_KEY, STRIPE_WEBHOOK_SECRET, and STRIPE_PRICE_ID. The omission in metadata is misleading.
Instruction Scope
The runtime instructions and the helper module stay within the Stripe integration domain: creating checkout/portal sessions, verifying webhooks, customer helpers, and a CLI connectivity check. They do not instruct reading unrelated system files or sending data to external endpoints other than Stripe's API. Webhook signature verification and idempotency are discussed (though the SKILL.md's idempotency example is an in-memory set and the docs note to use a DB/Redis in production).
Install Mechanism
This is an instruction-only skill with one helper Python file and no install spec. It recommends installing public PyPI packages (stripe, python-dotenv). Nothing is downloaded from unknown URLs and nothing is written to disk by an installer; risk from installation is low, but users must run pip themselves.
Credentials
The environment variables used by the code (STRIPE_SECRET_KEY, STRIPE_PUBLISHABLE_KEY, STRIPE_WEBHOOK_SECRET, STRIPE_PRICE_ID) are appropriate and required for Stripe integration. The problem is metadata omission: the skill registry entry does not declare these required env vars or a primary credential, which underreports the sensitive secrets the skill needs. This mismatch could cause users to install or invoke the skill without realizing it needs server-side secret keys.
Persistence & Privilege
The skill does not request persistent platform privileges (always:false), does not modify other skills or system-wide settings, and does not request unusual config paths. It is a normal user-invocable helper library for server-side logic.
What to consider before installing
This skill appears to be a straightforward Stripe integration helper, but the registry metadata fails to list the sensitive environment variables the SKILL.md and code require. Before installing or enabling: (1) confirm you will provide STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET, STRIPE_PUBLISHABLE_KEY, and STRIPE_PRICE_ID in a secure server-side environment (never expose secret keys to frontend); (2) use test (sk_test_) keys first and verify webhook signature checking is enabled; (3) replace the in-memory idempotency example with a persistent store (DB/Redis) to avoid duplicate fulfilment; (4) review the included scripts for any unexpected network calls (none found) and ensure .env is not committed to version control; (5) consider the unknown source/homepage — if you require provenance, request the author's repo or a verified publisher before using in production.Like a lobster shell, security has layers — review code before you run it.
latestvk972jq991w6752twfvft2t36j184fzhc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.