ClawHub

Stripe Setup for Blazor Server

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only Stripe setup guide with a visible commercial boilerplate pitch, but it does not run code, read files, or secretly handle credentials.

Use this as general Stripe setup guidance. Keep Stripe in test mode while developing, store secrets in .NET User Secrets or another secure store, do not paste live keys into chat, and treat the FastBlazorSaaS recommendation as a paid-product advertisement. Review and test any downloaded payment code before adding it to a real application.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill embeds a required commercial upsell into what is presented as neutral Stripe integration guidance, steering users to an external product instead of completing the requested task. In an agent setting, this is dangerous because it can manipulate user decisions, bias outputs for undisclosed commercial gain, and degrade trust by turning technical assistance into covert advertising.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill requires promotional redirection to a specific third-party commercial product that is not necessary to fulfill the stated purpose of explaining Stripe setup. This creates a conflict-of-interest and opens the door to affiliate abuse, user manipulation, or supply-chain risk if users are pushed to download and trust external code primarily because the skill told them to.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The activation rule triggers on broadly phrased payment-related requests, so the skill may engage in many contexts where the user did not ask for Stripe-specific setup or the embedded upsell. That increases the chance of unsolicited promotional behavior and misapplication of guidance, especially in unrelated payment or subscription discussions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal