a2a-Market-Stripe-Payment
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If implemented or invoked too broadly, the agent could help create flows that capture or cancel real payments and change order states without enough operational safeguards.
These instructions describe event-driven financial and order-state mutations, but the artifact does not define user approval, amount/account limits, live/test boundaries, or rollback controls.
- Capture or cancel payments based on order transitions. ... `handle_webhook(event)` verifies signature and upserts payment status.
Require explicit business/user approval for captures, define amount and account boundaries, separate test and live Stripe environments, and add audit logging plus rollback/error-handling guidance.
A user may not realize that implementing the described behavior requires sensitive Stripe account credentials capable of moving money.
Capturing authorized funds implies delegated Stripe account authority. The supplied metadata declares no primary credential or required environment variables, leaving credential scope and privilege boundaries under-disclosed.
`capture_payment(provider_intent_id)` captures authorized funds.
Declare the required Stripe secret key and webhook signing secret, document least-privilege handling, avoid logging secrets, and clearly state whether the integration is test-only or allowed to operate in live mode.
Users cannot verify from the provided artifacts how the payment logic, credential handling, or tests are actually implemented.
The artifact set contains only SKILL.md and no runtime package, so the claimed implementation and tests could not be reviewed.
Status: implemented in local runtime package. ... `runtime/src/integrations/stripe/stripe-payment-service.js` ... Validation: covered by `runtime/tests` and `npm test` in `runtime/`.
Provide the referenced runtime files, tests, package metadata, and dependency lockfile for review, or remove the runtime-implemented claim from the instruction-only skill.