ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Stripe API Actions

v1.0.0

Use Stripe's live REST API for authenticated write actions. Use when you need to create or update Stripe customers, products, prices, payment links, refunds,...

0· 43·0 current·0 all-time
byStanislav Stankovic@stanestane

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for stanestane/stripe-api-actions.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Stripe API Actions" (stanestane/stripe-api-actions) from ClawHub.
Skill page: https://clawhub.ai/stanestane/stripe-api-actions
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install stripe-api-actions

ClawHub CLI

Package manager switcher

npx clawhub@latest install stripe-api-actions
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, SKILL.md and the included script all align: the skill performs authenticated Stripe write actions (customers, products, prices, refunds, subscriptions, metadata). The code implements only Stripe API calls and matches the stated purpose. However, the registry metadata lists no required environment variables or primary credential despite SKILL.md and the script clearly requiring STRIPE_SECRET_KEY — this metadata omission is noteworthy.
!
Instruction Scope
SKILL.md instructs the operator to set STRIPE_SECRET_KEY and to require --confirm for writes. The included script enforces --confirm and only talks to api.stripe.com. There is no instruction or code that reads unrelated files, contacts other external endpoints, or exfiltrates data. The concern is that the runtime instructions access an environment secret (STRIPE_SECRET_KEY) that the registry did not declare; the instructions therefore reference resources outside the declared surface.
Install Mechanism
No install spec; skill is instruction-only with a bundled Python helper script. Nothing is downloaded at install time and no archives are extracted. This is low-risk from installation mechanism perspective.
!
Credentials
The script and SKILL.md require STRIPE_SECRET_KEY in the environment, and that key is the primary credential needed for write access. But the registry metadata lists no required env vars and no primary credential. This mismatch is disproportionate and could lead to accidental exposure if users aren't warned; the skill should declare STRIPE_SECRET_KEY (and ideally recommend using restricted/test keys).
Persistence & Privilege
The skill does not request always:true, does not modify other skills' configs, and has no install-time persistence. Autonomous invocation is allowed (platform default) but is not combined with other privilege escalation indicators here.
What to consider before installing
This skill appears to do exactly what it says (perform Stripe write operations) and the code only talks to api.stripe.com, but the registry metadata fails to declare the required secret. Before installing: (1) verify the skill author/source — there's no homepage and owner is unknown; (2) do not supply a live unrestricted Stripe secret until you audit the code yourself; (3) prefer using a restricted key or a test key scoped to only the needed write actions while evaluating; (4) confirm the platform/registry metadata is updated to declare STRIPE_SECRET_KEY as the primary credential; (5) review the script (it's included) to ensure it meets your safety policies and that --confirm behavior fits your automation needs; (6) monitor Stripe audit logs and be prepared to rotate keys if anything unexpected occurs.

Like a lobster shell, security has layers — review code before you run it.

latestvk974jj92kqsbz27b64adz2nmw985gj9w
43downloads
0stars
1versions
Updated 2d ago
v1.0.0
MIT-0
Stanislav Stankovic@stanestane
latest
Download

Stripe API Actions

Use this skill for live Stripe write operations.

Quick start

  1. Set STRIPE_SECRET_KEY in the current shell environment.
  2. Read references/actions-and-safety.md for the supported write actions and example commands.
  3. Require --confirm on every write command.

Core workflow

1. Confirm scope

Before running a write action, identify exactly which Stripe object should change and what the expected result is.

2. Use explicit commands

Examples:

python skills/stripe-api-actions/scripts/stripe_actions.py create_customer --name "Alice" --email "alice@example.com" --confirm
python skills/stripe-api-actions/scripts/stripe_actions.py create_product --name "Monthly Plan" --confirm
python skills/stripe-api-actions/scripts/stripe_actions.py create_price --product prod_123 --unit-amount 900 --currency eur --interval month --confirm
python skills/stripe-api-actions/scripts/stripe_actions.py create_payment_link --price price_123 --quantity 1 --confirm
python skills/stripe-api-actions/scripts/stripe_actions.py create_refund --payment-intent pi_123 --amount 500 --reason requested_by_customer --confirm
python skills/stripe-api-actions/scripts/stripe_actions.py cancel_subscription sub_123 --invoice-now --prorate --confirm
python skills/stripe-api-actions/scripts/stripe_actions.py update_metadata /customers/cus_123 --metadata external_id=42 --confirm

3. Prefer narrow changes

Prefer creating or updating the minimum necessary object rather than bundling several unrelated changes into one step.

Safety rules

  • Do not store live Stripe secrets in skill files.
  • Require --confirm for every write action.
  • Be cautious with refunds and subscription cancellation.
  • If a task affects live money flow or billing state, double-check the target object IDs first.

Resources

  • scripts/stripe_actions.py — minimal authenticated Stripe write helper using Python standard library
  • references/actions-and-safety.md — supported actions, caveats, and example commands

Comments

Loading comments...