stripe-verify
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- CREDENTIALS_UNSAFE (MEDIUM): The skill executes "npx convex env list" and "vercel env ls --environment=production". These commands output the full list of environment variables to the terminal. If these commands are executed by the agent, all production secrets (database URLs, API keys, etc.) are ingested into the agent's context, posing a risk of data exposure.
- COMMAND_EXECUTION (LOW): The skill relies on several external CLI tools (stripe, vercel, npx, curl). While standard, these are used to interact with production-level infrastructure and should be monitored.
- EXTERNAL_DOWNLOADS (LOW): The skill uses "npx" to run "convex", which can download packages from the npm registry. This introduces a dependency on the integrity of the remote package.
- PROMPT_INJECTION (LOW): Indirect prompt injection risk (Category 8). 1. Ingestion points: "vercel logs" and "stripe events list" output. 2. Boundary markers: None. 3. Capability inventory: Shell execution ("stripe", "vercel", "npx", "curl"). 4. Sanitization: None. An attacker could potentially influence the agent by injecting instructions into logs.
Audit Metadata