payment
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- SAFE (SAFE): No malicious patterns, obfuscation, or unauthorized access attempts were detected. The skill follows industry standard practices for payment gateway integrations.
- Data Exposure & Exfiltration (SAFE): The skill correctly handles sensitive credentials by referencing environment variables (
process.env.STRIPE_SECRET_KEY,process.env.STRIPE_WEBHOOK_SECRET) instead of hardcoding API keys. - Indirect Prompt Injection (SAFE): The skill includes a webhook ingestion point, which is a potential vulnerability surface, but implements strong mitigations.
- Ingestion points:
reqbody and headers inhandleWebhook(SKILL.md). - Boundary markers: Present. The skill uses
stripe.webhooks.constructEventwhich acts as a cryptographic boundary. - Capability inventory: Logic to update payment/subscription statuses and interact with a database schema.
- Sanitization: Uses official SDK signature verification to prevent processing of unauthenticated or malicious payloads.
Audit Metadata