a2a-Market-Stripe-Payment
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: a2a-market-stripe-payment Version: 0.2.0 The skill bundle provides a standard architectural blueprint and instructions for integrating Stripe payments into an application. The SKILL.md file outlines legitimate payment flows, including intent creation, capture, and webhook reconciliation, while explicitly recommending security best practices such as signature verification and idempotency. No malicious code, exfiltration logic, or suspicious instructions were detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If implemented or invoked too broadly, the agent could help create flows that capture or cancel real payments and change order states without enough operational safeguards.
These instructions describe event-driven financial and order-state mutations, but the artifact does not define user approval, amount/account limits, live/test boundaries, or rollback controls.
- Capture or cancel payments based on order transitions. ... `handle_webhook(event)` verifies signature and upserts payment status.
Require explicit business/user approval for captures, define amount and account boundaries, separate test and live Stripe environments, and add audit logging plus rollback/error-handling guidance.
A user may not realize that implementing the described behavior requires sensitive Stripe account credentials capable of moving money.
Capturing authorized funds implies delegated Stripe account authority. The supplied metadata declares no primary credential or required environment variables, leaving credential scope and privilege boundaries under-disclosed.
`capture_payment(provider_intent_id)` captures authorized funds.
Declare the required Stripe secret key and webhook signing secret, document least-privilege handling, avoid logging secrets, and clearly state whether the integration is test-only or allowed to operate in live mode.
Users cannot verify from the provided artifacts how the payment logic, credential handling, or tests are actually implemented.
The artifact set contains only SKILL.md and no runtime package, so the claimed implementation and tests could not be reviewed.
Status: implemented in local runtime package. ... `runtime/src/integrations/stripe/stripe-payment-service.js` ... Validation: covered by `runtime/tests` and `npm test` in `runtime/`.
Provide the referenced runtime files, tests, package metadata, and dependency lockfile for review, or remove the runtime-implemented claim from the instruction-only skill.