stripe-subscription
Fail
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (HIGH): The skill setup requires cloning a repository from an untrusted GitHub account (https://github.com/Eng0AI/stripe-subscription.git). Since the author and organization are not part of the trusted list, the integrity and safety of the downloaded code are unknown.
- [REMOTE_CODE_EXECUTION] (HIGH): The instructions direct the user to run 'npm install' and 'npm start' immediately after cloning the untrusted repository. This is a dangerous pattern because malicious actors can use npm lifecycle scripts (such as preinstall or postinstall) to execute arbitrary code on the user's machine during the installation process.
- [CREDENTIALS_UNSAFE] (SAFE): The skill handles Stripe API keys using environment variables and provides safe placeholders (sk_test_xxx) in the documentation, avoiding the risk of hardcoded secret exposure in the skill file itself.
Recommendations
- AI detected serious security threats
Audit Metadata