Back to skill
Skillv1.0.0
ClawScan security
Lap Stripe Api · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 3, 2026, 1:56 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only Stripe API skill that only asks for a Stripe API key and documents standard Stripe endpoints — its requirements and instructions are coherent with the stated purpose.
- Guidance
- This skill appears to do what it says: call Stripe endpoints. Before installing, confirm you trust the skill source (no homepage or publisher info is provided). Provide a least-privilege Stripe key if possible (create a restricted key or scoped integration rather than a full account master key). Do not reuse a high-privilege key used for production billing — instead create a dedicated key for the agent and rotate/revoke it if needed. If you need provenance, ask the publisher for a homepage or repo and verify the mapping between the documented endpoints and your intended usage.
Review Dimensions
- Purpose & Capability
- okThe skill is described as a Stripe API helper and the only required environment variable is a Stripe API key; that matches the stated purpose (calling Stripe REST endpoints). There are no unrelated binaries, installs, or config paths requested.
- Instruction Scope
- okSKILL.md instructs the agent to set an Authorization header and call Stripe endpoints (e.g., GET /v1/account, POST /v1/account_links). The instructions do not tell the agent to read local files, other environment variables, or to transmit data to third-party endpoints outside api.stripe.com.
- Install Mechanism
- okThere is no install spec and no code files; this is instruction-only, so nothing is written to disk or downloaded. That is the lowest-risk installation model and is proportionate to the skill's purpose.
- Credentials
- noteThe skill requests a single environment variable, STRIPE_API_API_KEY, which is appropriate for a Stripe API integration. Two minor notes: the env var name is oddly repetitive (STRIPE_API_API_KEY) but functionally acceptable, and because a single account API key can grant broad access to a Stripe account, the key should be scoped/restricted where possible (e.g., limited permissions, restricted to necessary webhook/operation scopes or a restricted connection token).
- Persistence & Privilege
- okalways is false and the skill has no install or code that would persist or alter agent/system configuration. It does not request permanent presence or elevated privileges.