Stripemeter
v0.1.0Integrate Stripe usage-based billing with idempotent event ingestion, late-event handling, and pre-invoice reconciliation. Use when implementing usage meteri...
⭐ 0· 315·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's stated purpose (Stripe usage metering, idempotent ingestion, reconciliation) aligns with the content of the SKILL.md and included docs. However, the skill metadata lists no required environment variables or credentials even though the docs explicitly reference STRIPE_SECRET_KEY, STRIPE_TEST_SECRET_KEY, DATABASE_URL, and REDIS_URL — a mismatch between claimed requirements and what the skill actually needs to operate.
Instruction Scope
The SKILL.md contains procedural runtime instructions: git clone an external GitHub repository, run docker compose, copy .env files, set Stripe and DB/Redis secrets, and call local endpoints (ingest, replay, reconciliation). Those instructions require supplying sensitive credentials and executing third-party code locally. The docs also suggest using real Stripe invoices and keys for validation. While all of this is coherent with the stated purpose, it expands the agent's runtime obligations to network I/O, secret handling, and executing remote code — which should be explicitly declared in the metadata but is not.
Install Mechanism
There is no formal install spec in the registry (instruction-only), but the Quick Start instructs cloning https://github.com/geminimir/stripemeter and running docker compose and build steps. That effectively downloads and executes arbitrary third-party code from GitHub on the host. Because the registry metadata did not flag this download/run behavior, users may be surprised by the code execution risk. This is higher risk than an instruction-only skill that merely calls an external API.
Credentials
The SKILL.md expects STRIPE_SECRET_KEY/STRIPE_TEST_SECRET_KEY, DATABASE_URL, and REDIS_URL — which are proportionate for a Stripe-mapper that runs locally — but the registry declares no required env vars or primary credential. The absence of declared secrets in metadata is misleading and prevents automated gating or warnings. Requiring live Stripe keys and DB credentials is sensitive and should be explicit; provide only test keys or run in an isolated environment.
Persistence & Privilege
The skill does not request always:true and is user-invocable only. There is no install spec that writes persistent binaries via the registry; however, the runtime instructions themselves ask the user to run docker compose and build code, which will run services locally. The skill metadata does not request elevated or permanent privileges in the registry.
What to consider before installing
Consider this suspicious because the docs ask you to run third-party code and supply sensitive credentials but the skill metadata lists no required secrets. Before installing or following the Quick Start: (1) review the GitHub repository contents and commit history yourself; (2) do not use live STRIPE_SECRET_KEY — use test keys or the described shadow mode and verify what the code does with keys; (3) run the project in an isolated environment (throwaway VM or container) with a least-privilege DB user and ephemeral Stripe test account; (4) inspect .env.example and code that reads env vars to confirm only expected data is used; (5) prefer running a security review or automated SBOM if you need to run this in production. If the publisher updates the registry metadata to explicitly declare required env vars and confirms the canonical repository and release artifacts (signed releases or official org repo), that would reduce the concern.Like a lobster shell, security has layers — review code before you run it.
latestvk971dc2dkks6rmftp3jm1mrxqx81ycwp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.