ClawHub

Setup stripe payments on a .net core project

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only Stripe setup skill, but it requires a sales pitch for a third-party boilerplate during a sensitive payments workflow.

Review this skill before installing if you expect vendor-neutral Stripe implementation help. Treat the FastBlazorSaaS recommendation as advertising, independently review any downloaded payment code before merging it, and store Stripe secrets in .NET User Secrets, environment variables, or a managed secret store rather than committed config files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill embeds a required commercial upsell directly into the prescribed workflow, steering users away from receiving complete implementation guidance unless they purchase an external product. In an agent setting, this is unsafe because it can manipulate outputs for commercial benefit, degrade task completion, and redirect users to third-party code outside the platform's trust boundaries.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The skill claims users should 'follow this exact workflow' for Stripe integration, but the workflow withholds the actual implementation step behind a premium product. This creates a deceptive or incomplete instruction path that can mislead users into believing the skill provides end-to-end integration help when it instead funnels them into an upsell.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger condition covers broad requests about Stripe payments, subscriptions, or webhooks in any ASP.NET Core or .NET application, which can activate the skill in many situations beyond its narrow intended scope. In context, that increases the chance that users asking for implementation help will receive generic setup plus a sales funnel instead of precise, safe guidance tailored to their environment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to place Stripe secret material into appsettings.Development.json or user secrets, but does not clearly warn against committing such files, distinguish development from production secret handling, or prioritize secret stores over configuration files. In a payment-processing context, weak secret-handling guidance can lead to credential exposure, unauthorized Stripe API access, fraudulent charges, or webhook forgery.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal