Skillv5.0.0

ClawScan security

Stripe Manager · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 23, 2026, 12:33 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is a reference-only Stripe documentation helper whose declared behavior, lack of required credentials, and bundled shell script (which prints heredoc documentation) are consistent with the stated purpose.
Guidance: This skill appears to be a documentation/reference tool only and is internally consistent with its description. Before installing, you may want to (1) review the rest of scripts/script.sh (the provided snippet was truncated) to confirm there are no hidden network calls or command substitutions, (2) confirm your agent/runtime will not execute the script with network connectivity if you want to enforce offline behavior, and (3) verify that you are comfortable with the agent being able to invoke the skill autonomously (default behavior) if you allow autonomous skill use. If those checks look good, the skill's footprint and requested access are proportionate for a Stripe reference helper.

Purpose & Capability: okName/description claim a Stripe reference and troubleshooting helper; SKILL.md and the included script contain only reference content (PaymentIntents, webhooks, PCI, CLI cheatsheets). There are no environment variables, no required binaries, and nothing requested that would be unrelated to a documentation/reference skill.
Instruction Scope: okSKILL.md explicitly instructs the agent to output plain-text reference documentation via heredoc and states 'No external API calls, no credentials needed, no network access.' The visible portions of scripts/script.sh implement only static documentation output functions and do not reference files, credentials, or network endpoints.
Install Mechanism: okNo install spec is provided (instruction-only), which minimizes disk writes and external code installation. A single shell script is bundled but it appears to be a static documentation generator rather than an installer or downloader.
Credentials: okThe skill declares no required env vars, no primary credential, and no config paths. That is proportionate for a reference/documentation skill.
Persistence & Privilege: okalways is false and the skill is user-invocable. It does not request persistent privileges or to modify other skills or system-wide settings.