extension-payment
Pass
Audited by Gen Agent Trust Hub on Mar 27, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill explicitly promotes security best practices by instructing users to keep API keys on the backend and avoid exposing them in client-side extension code.
- [SAFE]: All external documentation and script references target well-known and trusted payment service providers such as Stripe and Paddle.
- [SAFE]: The skill provides comprehensive guidance on secure communication patterns, including webhook signature verification and HTTPS enforcement.
- [INDIRECT_PROMPT_INJECTION]: The skill uses an external tool to ingest documentation from payment providers to guide implementation, creating a surface for indirect prompt injection.
- Ingestion points: SKILL.md (Step 3) fetches documentation from external URLs (e.g., Stripe, Polar) via the
docs-seekerskill. - Boundary markers: None specified; the agent follows instructions to fetch and implement based on the external content.
- Capability inventory: The workflow involves generating code snippets for extensions and backends based on the fetched documentation across several reference files.
- Sanitization: None specified for the content fetched from provider documentation endpoints.
Audit Metadata