ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

a2a-Market-Stripe-Payment

v0.2.0

Integrate Stripe payment intents, capture flow, and webhook reconciliation for A2A orders. Use when implementing payment authorization/capture, refund path,...

0· 268·0 current·0 all-time
by@luoqianchenguni-max
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name and description describe a Stripe payment integration (payment intents, capture, webhooks) which is coherent. However, the skill declares no credentials, env vars, or binaries even though a real Stripe integration would need at minimum an API key and webhook secret and typically needs Node/npm or another runtime to run the referenced code/tests.
!
Instruction Scope
SKILL.md includes concrete runtime paths and testing commands (runtime/src/integrations/..., 'npm test' in runtime/) and asks implementers to verify webhook signatures and enforce idempotency. Those instructions reference reading/verifying webhook secrets and running tests, but the package contains no code or secrets and does not declare how the agent is expected to obtain them. The guidance therefore grants implicit authority to access files/credentials that are not declared.
Install Mechanism
There is no install spec (instruction-only), which is low-risk in itself. However, the README expects a local runtime package and npm tests; the skill does not declare required binaries (node/npm) or an install step to provide the runtime, creating an operational mismatch.
!
Credentials
No environment variables or primary credential are declared. For Stripe integration, one would normally expect at least STRIPE_API_KEY and STRIPE_WEBHOOK_SECRET (or similarly named vars). The absence of declared secrets is inconsistent with instructions that explicitly require verifying webhook signatures and calling Stripe APIs.
Persistence & Privilege
The skill is not always-enabled and allows normal autonomous invocation — this is the platform default and appropriate for a payment integration skill. The skill does not request persistent system-wide privileges in its manifest.
What to consider before installing
This skill looks like a blueprint for a Stripe integration but is missing critical operational details. Before installing or using it, ask the author to: (1) declare required environment variables (e.g., STRIPE_API_KEY, STRIPE_WEBHOOK_SECRET) and justify any others; (2) list required binaries (node/npm) or provide an install spec if runtime code is expected; (3) include or point to the referenced runtime package and tests, or clarify that the skill is purely a design doc; and (4) confirm where webhook secrets will be stored and who/what will have access. Treat any skill that asks for live Stripe credentials as sensitive — only provide keys with the minimum scope needed (use test keys in development and restricted keys in production). If the author cannot explain these omissions, avoid installing the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b9w8q3qdbnftphxfxka7hrd83640x

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments