stripe-integration
Pass
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: LOWNO_CODE
Full Analysis
- [PROMPT_INJECTION] (SAFE): The skill uses a professional persona ('payments engineer') to guide the agent's behavior but does not include instructions to bypass safety filters, ignore system prompts, or reveal internal configurations.
- [DATA_EXFILTRATION] (SAFE): No hardcoded credentials, API keys, or network exfiltration patterns were detected. It explicitly advises the use of separate keys and webhook verification.
- [EXTERNAL_DOWNLOADS] (SAFE): The skill does not reference any external URLs for downloading scripts or packages.
- [COMMAND_EXECUTION] (SAFE): There are no shell commands, subprocess calls, or system-level operations described in the file.
- [INDIRECT_PROMPT_INJECTION] (LOW): The skill is designed to help the agent process external data (Stripe webhooks), which is an inherent risk surface for payment integrations. However, the skill specifically provides security remediations (webhook signature verification, idempotency keys) to mitigate these risks rather than introducing vulnerabilities.
- [NO_CODE] (INFO): The file consists entirely of markdown documentation and configuration metadata without any accompanying executable scripts.
Audit Metadata