stripe-stack
Pass
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill provides production-grade templates for Stripe integration that follow security best practices, such as lazy initialization of the Stripe client and database-backed idempotency for webhook handlers.
- [CREDENTIALS_UNSAFE]: Sensitive keys like Stripe secret keys and Supabase service role keys are managed via environment variables with clear instructions and templates using placeholders.
- [EXTERNAL_DOWNLOADS]: References to external dependencies and templates are limited to official or vendor-owned sources, including the Stripe SDK ('stripe', '@stripe/stripe-js'), the Stripe CLI, and the author's repository at 'github.com/ScientiaCapital/stripe-stack'.
- [DATA_EXFILTRATION]: Webhook handling logic includes mandatory signature verification using 'stripe.webhooks.constructEvent' in 'templates/webhook-handler-nextjs.ts', ensuring data authenticity and preventing unauthorized manipulation.
- [SAFE]: Regarding potential indirect prompt injection: untrusted data enters via the webhook endpoint in 'templates/webhook-handler-nextjs.ts'; signature verification serves as a sanitization and boundary layer; system capabilities are restricted to database writes in 'templates/idempotency-migration.sql'; no LLM-specific boundary markers are present as the processing is code-based.
Audit Metadata