web-payments
Pass
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: Recommends installing official Stripe SDKs (
stripe,@stripe/stripe-js,@stripe/react-stripe-js) for Node.js and Python. These are established packages from a well-known service. - [CREDENTIALS_UNSAFE]: Provides instructions for managing Stripe API keys using environment variables. It correctly uses placeholders (e.g.,
sk_test_xxx) for secret keys and explicitly warns against exposing secret keys on the client side. - [COMMAND_EXECUTION]: Includes standard Stripe CLI commands for local development and testing, such as
stripe listenandstripe trigger, which are routine for developers testing webhook integrations. - [DATA_EXFILTRATION]: No unauthorized data exfiltration patterns detected. Network operations are directed exclusively to official Stripe domains and the application's own local/production URLs.
- [SAFE]: The skill includes a dedicated 'Security Best Practices' section that reinforces non-negotiable security rules for payment integrations, such as verifying webhook signatures and avoiding client-side payment creation.
Audit Metadata