The Agent Skills Directory

[CREDENTIALS_SAFE] (SAFE): The skill consistently recommends using environment variables for sensitive data like STRIPE_SECRET_KEY. No hardcoded credentials were found; all examples use safe placeholders such as sk_test_your_api_key_here.\n- [EXTERNAL_DOWNLOADS] (SAFE): Documentation suggests installing the official Stripe CLI and Hookdeck CLI for testing. These are industry-standard tools for the described use case.\n- [PROMPT_INJECTION] (SAFE): No malicious instructions intended to bypass AI safety filters or override agent behavior were detected within the skill metadata or source code.\n- [DATA_EXFILTRATION] (SAFE): The skill processes incoming data locally and does not perform any unauthorized data exfiltration. The only network operations involve standard responses to the Stripe API.\n- [REMOTE_CODE_EXECUTION] (SAFE): All provided code samples (Express, FastAPI, Next.js) perform static logic. There is no usage of dangerous functions like eval() or exec(), nor are there patterns involving remote script execution.\n- [INDIRECT_PROMPT_INJECTION] (SAFE): The skill defines a clear ingestion surface for untrusted external data (webhook POST requests). However, it mandates the use of the Stripe SDK's signature verification method (constructEvent), which provides a cryptographically secure boundary and prevents processing of unauthorized or malicious payloads.

stripe-webhooks