ClawHub

Stripe

Security checks across malware telemetry and agentic risk

Overview

This Stripe database skill is understandable in purpose, but it gives the agent broad SQL access to sensitive billing data and asks users to put database credentials in a script.

Install only if you are comfortable giving the agent access to a Stripe billing database replica. Use a dedicated read-only PostgreSQL role limited to the stripe schema, avoid committing or sharing query.sh after adding credentials, rotate any exposed password, and review queries and outputs for customer or financial data before sharing them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The script takes an arbitrary SQL string from the caller and passes it directly to psql, which gives the skill a general database execution primitive rather than a constrained Stripe data lookup capability. In an agent setting, this can enable unauthorized access to unrelated tables, schema enumeration, or destructive statements if the configured credentials are not truly read-only.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The usage text advertises a generic "SQL_QUERY" interface with examples like SELECT now() and SELECT * FROM users, confirming that the skill is intentionally broader than its stated Stripe-only purpose. This mismatch increases the risk that an agent or user can repurpose the skill to query arbitrary database content beyond the intended business scope.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The comments instruct operators to use a read-only database, but the script itself does not verify or enforce read-only behavior before executing supplied SQL. If the provisioned account is misconfigured, the same interface could execute INSERT, UPDATE, DELETE, DDL, or other dangerous statements against production-like billing data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly instructs users to place a database username and password into `query.sh`, which encourages hardcoding credentials in a local script. This creates a realistic risk of accidental exposure through source control, logs, shell history, backups, or file sharing, and the surrounding language claiming the setup is 'secure' may further reduce user caution.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation text says to use the skill for any Stripe-related data request, which is broad enough to trigger on generic mentions and cause the agent to query sensitive billing records when the user may only want conceptual help. In a skill backed by live customer and payment data, over-broad routing increases the chance of unnecessary data access and privacy violations.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill handles highly sensitive customer and billing data, including emails, invoices, payment details, tax IDs, and client secrets, but provides no warning or consent boundary about accessing this information. Without explicit safeguards, an agent may retrieve or disclose regulated or confidential data too freely in response to ordinary prompts.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script is designed for manual insertion of database credentials directly into the file and exports the password into the environment for subprocess use. Hardcoded secrets are easily leaked through source control, backups, local copies, or accidental sharing, which is especially sensitive given the database contains Stripe customer and billing data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal