ClawHub

Stripe CLI

v1.0.0

Execute Stripe payments, refunds, subscriptions, customer and invoice management, webhook testing, and API calls, with optional ShapeScale clinic and subscri...

1· 1.7k·1 current·2 all-time
by@kesslerio
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The scripts and SKILL.md implement a Stripe CLI wrapper and optional ShapeScale extensions and legitimately need the stripe binary and a STRIPE_SECRET_KEY. However, the registry summary at the top says 'Required env vars: none' and 'Required binaries: none', while package.json and SKILL.md declare requires.bins=['stripe'] and env STRIPE_SECRET_KEY. That metadata mismatch is incoherent and should be corrected/confirmed before trusting the skill.
Instruction Scope
Runtime instructions and scripts primarily call the stripe CLI and read an optional shapescale-presets.json; they do not attempt to read unrelated system files. Two things to note: (1) the scripts will try to read secrets from 1Password (op read) as a fallback, which accesses an external secret store; (2) webhook listen forwards Stripe webhook payloads to STRIPE_WEBHOOK_ENDPOINT (default http://localhost:4242) — if you change that variable, webhooks could be forwarded to any endpoint. The ShapeScale JSON parsing falls back to brittle grep-based parsing when jq is absent (functional but error-prone).
Install Mechanism
The registry listing claims 'no install spec' but package.json contains moltbot.install entries (brew formula for macOS and a GitHub release .deb download for Linux). The Linux download is a GitHub releases .deb (expected for Stripe CLI) rather than an unknown host, so the install sources appear reasonable — but the mismatch between the registry metadata and the repository/package.json should be clarified.
!
Credentials
The skill legitimately requires STRIPE_SECRET_KEY and mentions STRIPE_WEBHOOK_ENDPOINT and SHAPESCALE_PRESETS_PATH. Those are proportional to the stated purpose. However, the registry metadata at the top lists no required env vars while SKILL.md and package.json declare STRIPE_SECRET_KEY required — this discrepancy is suspicious. Also the scripts optionally attempt to read secrets from 1Password (op read), which accesses another credentials store and may be unexpected for some users.
Persistence & Privilege
The skill is instruction-only (no install executed by the platform) and has always: false. It does not request persistent inclusion or attempt to modify other skills or system-wide settings. There is no evidence it writes persistent credentials or enables itself beyond normal skill installation.
What to consider before installing
This skill mostly does what it says — it wraps the Stripe CLI and needs your Stripe secret key and the stripe binary. Before installing: 1) Confirm the registry metadata vs. package.json/SKILL.md mismatch — ensure STRIPE_SECRET_KEY and stripe binary are expected. 2) Review the GitHub repo referenced in SKILL.md/package.json to ensure it’s the intended upstream; the Linux install uses a GitHub .deb (normal for stripe-cli). 3) Only use test keys (sk_test_...) first; do not supply live secret keys until you inspect the code and are comfortable. 4) Note the skill may try to read 1Password (op read) as a fallback — if you use that, verify what it will fetch. 5) If you forward webhooks, ensure STRIPE_WEBHOOK_ENDPOINT points to a trusted endpoint (default is localhost). 6) Consider running in an isolated/non-production environment and inspect the scripts (they call stripe CLI and parse JSON with grep if jq is missing) before granting any secrets.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bbahts8ryk9xdwz5q91affn80910d

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments