nextjs-stripe-integration
Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill implements a surface for indirect prompt injection via the processing of Stripe webhook events.
- Ingestion points: The
app/api/webhooks/stripe/route.tsfile extracts data from the raw request body provided by Stripe's external API. - Boundary markers: The implementation correctly uses
stripe.webhooks.constructEventwith awebhookSecretto verify the authenticity and integrity of the incoming data. - Capability inventory: The skill performs database mutations via a
ConvexHttpClient(e.g.,api.stripeWebhook.handleCheckoutSessionCompleted) based on the content of the webhook event. - Sanitization: The code utilizes Stripe's official Node.js library for cryptographic signature verification, ensuring that instructions processed by the agent originate from a verified Stripe source.
- [EXTERNAL_DOWNLOADS]: The skill references several external dependencies and tools from trusted sources.
- It utilizes well-known Node.js packages including
stripe,@stripe/stripe-js, and integration packages forconvexandworkos. - It provides instructions for installing the official Stripe CLI via Homebrew for local development and testing.
- These resources are provided by established technology vendors and follow standard developer workflows, posing no direct security risk.
- [COMMAND_EXECUTION]: The skill includes instructions for standard terminal commands required for project setup and testing.
- It describes using
npm installoryarn addto fetch dependencies from official registries. - It includes commands for the Stripe CLI, such as
stripe listenandstripe trigger, to simulate payment events during development. - All commands are routine for the described development task and do not involve unauthorized privilege escalation or persistence mechanisms.
Audit Metadata