ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

a2a-Market-Stripe-Payment

Integrate Stripe payment intents, capture flow, and webhook reconciliation for A2A orders. Use when implementing payment authorization/capture, refund path,...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 90 · 0 current installs · 0 all-time installs
by@luoqianchenguni-max
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name and description describe a Stripe payment integration (payment intents, capture, webhooks) which is coherent. However, the skill declares no credentials, env vars, or binaries even though a real Stripe integration would need at minimum an API key and webhook secret and typically needs Node/npm or another runtime to run the referenced code/tests.
!
Instruction Scope
SKILL.md includes concrete runtime paths and testing commands (runtime/src/integrations/..., 'npm test' in runtime/) and asks implementers to verify webhook signatures and enforce idempotency. Those instructions reference reading/verifying webhook secrets and running tests, but the package contains no code or secrets and does not declare how the agent is expected to obtain them. The guidance therefore grants implicit authority to access files/credentials that are not declared.
Install Mechanism
There is no install spec (instruction-only), which is low-risk in itself. However, the README expects a local runtime package and npm tests; the skill does not declare required binaries (node/npm) or an install step to provide the runtime, creating an operational mismatch.
!
Credentials
No environment variables or primary credential are declared. For Stripe integration, one would normally expect at least STRIPE_API_KEY and STRIPE_WEBHOOK_SECRET (or similarly named vars). The absence of declared secrets is inconsistent with instructions that explicitly require verifying webhook signatures and calling Stripe APIs.
Persistence & Privilege
The skill is not always-enabled and allows normal autonomous invocation — this is the platform default and appropriate for a payment integration skill. The skill does not request persistent system-wide privileges in its manifest.
What to consider before installing
This skill looks like a blueprint for a Stripe integration but is missing critical operational details. Before installing or using it, ask the author to: (1) declare required environment variables (e.g., STRIPE_API_KEY, STRIPE_WEBHOOK_SECRET) and justify any others; (2) list required binaries (node/npm) or provide an install spec if runtime code is expected; (3) include or point to the referenced runtime package and tests, or clarify that the skill is purely a design doc; and (4) confirm where webhook secrets will be stored and who/what will have access. Treat any skill that asks for live Stripe credentials as sensitive — only provide keys with the minimum scope needed (use test keys in development and restricted keys in production). If the author cannot explain these omissions, avoid installing the skill.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.2.0
Download zip
latestvk97b9w8q3qdbnftphxfxka7hrd83640x

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

a2a-Market Stripe Payment

Create the Stripe payment integration skeleton for order settlement.

Current status: registration scaffold with stable payment contracts and webhook map.

Scope

  • Create payment intent from negotiated order terms.
  • Capture or cancel payments based on order transitions.
  • Reconcile webhook events with internal order state.

Suggested Project Layout

  • app/integrations/stripe/stripe_client.py
  • app/application/services/payment_service.py
  • app/interfaces/api/payment_routes.py
  • app/infrastructure/tasks/stripe_webhook_worker.py

Minimum Contracts (MVP P0)

  1. create_payment_intent(order_id, amount, currency) returns provider intent id + client secret.
  2. capture_payment(provider_intent_id) captures authorized funds.
  3. cancel_payment(provider_intent_id) voids uncaptured authorization.
  4. handle_webhook(event) verifies signature and upserts payment status.

Event Mapping

  • Emit ORDER_CREATED when payment intent is created.
  • Emit PAYMENT_SUCCEEDED when capture confirms.
  • Emit payment-failed incident event when authorization/capture fails.

Guardrails

  • Verify webhook signature before parsing payload.
  • Enforce idempotency key for create/capture endpoints.
  • Keep provider status mapping table explicit and versioned.

Implementation Backlog

  • Add partial refund and dispute webhook handling.
  • Add multi-currency routing and fee optimization.

Runtime Implementation

  • Status: implemented in local runtime package.
  • Primary code paths:
  • runtime/src/integrations/stripe/stripe-payment-service.js
  • Validation: covered by runtime/tests and npm test in runtime/.

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…