Stripe Webhook Replay Lab

v1.0.0

Replay signed Stripe webhook payloads to a local or staging endpoint for idempotency and retry debugging.

⭐ 0· 289·0 current·0 all-time

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for daniellummis/stripe-webhook-replay-lab.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "Stripe Webhook Replay Lab" (daniellummis/stripe-webhook-replay-lab) from ClawHub.
Skill page: https://clawhub.ai/daniellummis/stripe-webhook-replay-lab
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: bash, curl, openssl, python3
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install stripe-webhook-replay-lab

ClawHub CLI

Package manager switcher

npx clawhub@latest install stripe-webhook-replay-lab

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The script and SKILL.md implement exactly what the name/description promise (generate Stripe-Signature headers and POST the event payload repeatedly). Required binaries are appropriate for the task. However, registry metadata lists no required environment variables while SKILL.md and the script require STRIPE_WEBHOOK_URL and STRIPE_WEBHOOK_SECRET; this mismatch is unexpected and should have been declared in the metadata.

✓

Instruction Scope

Runtime instructions only load a JSON payload (from a file or env var), compute an HMAC signature with the provided webhook secret, and POST to the user-specified endpoint. The script writes temporary response output to /tmp/stripe-webhook-replay-response.$$ and otherwise does not contact any third-party services. There is no hidden exfiltration, but the tool will send whatever payload you provide (which may contain email/IDs) to whichever URL you set, so pointing it at an untrusted external endpoint could leak test data.

✓

Install Mechanism

This is instruction-only with an included shell script; there is no install step and nothing is downloaded from the network. No archive extraction or remote installs are present.

Credentials

The script legitimately needs STRIPE_WEBHOOK_URL and STRIPE_WEBHOOK_SECRET (and optional env vars for payload, counts, timeouts). The registry metadata, however, declares no required env vars — and the skill package does not list STRIPE_WEBHOOK_SECRET as a primary credential. The SKILL.md uses environment variables not listed in the metadata, which can mislead users about what secrets they must provide. Aside from that mismatch, the number and scope of env vars requested are proportional to the functionality.

✓

Persistence & Privilege

The skill does not request persistent privileges, does not set always:true, and does not modify other skills or system-wide config. It runs only when invoked.

What to consider before installing

This script does what it says: it signs a JSON payload with your Stripe webhook secret and posts it to the URL you provide. Before running: (1) Inspect the included script (you already have it) and confirm you are comfortable with it. (2) Do NOT use a production webhook secret or production customer data — prefer test secrets and local/staging endpoints. (3) Be careful what URL you set: the tool will send the payload to any URL, so don't point it at untrusted external endpoints (it could leak test data). (4) Note the registry metadata omission: the package did not declare required env vars; expect to set STRIPE_WEBHOOK_URL and STRIPE_WEBHOOK_SECRET when running. If you need higher assurance, run the script in an isolated environment or container and avoid supplying production secrets.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binsbash, curl, openssl, python3

latestvk973a9adfe5z7mvw316dkff7mh82bmb9

289downloads

0stars

1versions

Updated 1mo ago

v1.0.0

MIT-0

Stripe Webhook Replay Lab

Use this skill to replay the same signed Stripe webhook event multiple times against your endpoint and validate idempotency behavior.

What this skill does

Loads a Stripe event payload from a JSON file or inline env var
Generates valid Stripe Stripe-Signature headers using your webhook secret (whsec_...)
Replays the exact same payload N times to simulate duplicate deliveries/retries
Prints per-attempt HTTP status and latency with a pass/fail summary

Inputs

Required:

STRIPE_WEBHOOK_URL (target endpoint)
STRIPE_WEBHOOK_SECRET (Stripe endpoint secret used to verify signatures)

Payload source (choose one):

STRIPE_EVENT_PATH (default: fixtures/sample-checkout-session-completed.json)
STRIPE_EVENT_JSON (inline JSON payload; overrides STRIPE_EVENT_PATH)

Optional:

REPLAY_COUNT (default: 2)
REPLAY_DELAY_SECONDS (default: 0)
REQUEST_TIMEOUT_SECONDS (default: 15)
ACCEPT_HTTP_CODES (comma-separated exact HTTP codes accepted as success; default empty = any 2xx)

Run

STRIPE_WEBHOOK_URL=http://localhost:8000/webhooks/stripe \
STRIPE_WEBHOOK_SECRET=whsec_test_123 \
bash scripts/replay-stripe-webhook.sh

Force five duplicate deliveries with a small delay:

STRIPE_WEBHOOK_URL=http://localhost:8000/webhooks/stripe \
STRIPE_WEBHOOK_SECRET=whsec_test_123 \
REPLAY_COUNT=5 \
REPLAY_DELAY_SECONDS=0.2 \
bash scripts/replay-stripe-webhook.sh

Use inline payload JSON:

STRIPE_WEBHOOK_URL=http://localhost:8000/webhooks/stripe \
STRIPE_WEBHOOK_SECRET=whsec_test_123 \
STRIPE_EVENT_JSON='{"id":"evt_test","type":"checkout.session.completed","object":"event","data":{"object":{"id":"cs_test"}}}' \
bash scripts/replay-stripe-webhook.sh

Output contract

Prints payload event id/type when available
Logs each replay attempt: status code + elapsed milliseconds
Exit 0 if all attempts pass success criteria
Exit 1 if any attempt fails or inputs are invalid

Comments

Loading comments...