a2a-Market-Stripe-Payment
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is coherently about Stripe payments, but it describes capturing or canceling funds without declared Stripe credentials or clear operational boundaries, and it references runtime code that is not included.
Review this skill carefully before using it for real payments. It appears purpose-aligned, but you should require explicit Stripe credential declarations, test/live environment separation, capture/refund approval rules, audit logging, and the referenced runtime code before allowing it to affect production orders or funds.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If implemented or invoked too broadly, the agent could help create flows that capture or cancel real payments and change order states without enough operational safeguards.
These instructions describe event-driven financial and order-state mutations, but the artifact does not define user approval, amount/account limits, live/test boundaries, or rollback controls.
- Capture or cancel payments based on order transitions. ... `handle_webhook(event)` verifies signature and upserts payment status.
Require explicit business/user approval for captures, define amount and account boundaries, separate test and live Stripe environments, and add audit logging plus rollback/error-handling guidance.
A user may not realize that implementing the described behavior requires sensitive Stripe account credentials capable of moving money.
Capturing authorized funds implies delegated Stripe account authority. The supplied metadata declares no primary credential or required environment variables, leaving credential scope and privilege boundaries under-disclosed.
`capture_payment(provider_intent_id)` captures authorized funds.
Declare the required Stripe secret key and webhook signing secret, document least-privilege handling, avoid logging secrets, and clearly state whether the integration is test-only or allowed to operate in live mode.
Users cannot verify from the provided artifacts how the payment logic, credential handling, or tests are actually implemented.
The artifact set contains only SKILL.md and no runtime package, so the claimed implementation and tests could not be reviewed.
Status: implemented in local runtime package. ... `runtime/src/integrations/stripe/stripe-payment-service.js` ... Validation: covered by `runtime/tests` and `npm test` in `runtime/`.
Provide the referenced runtime files, tests, package metadata, and dependency lockfile for review, or remove the runtime-implemented claim from the instruction-only skill.