stripe-integration
Pass
Audited by Gen Agent Trust Hub on Apr 15, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill contains technical documentation and implementation examples for Stripe payment processing. All provided code follows official Stripe documentation and security standards.
- [CREDENTIALS_UNSAFE]: No hardcoded secrets or production credentials were found. The skill uses standard test-mode placeholders (e.g.,
sk_test_...,whsec_...) and correctly instructs users to manage secrets securely. - [INDIRECT_PROMPT_INJECTION]: The skill demonstrates how to handle external data via Stripe webhooks, which is a potential ingestion point for untrusted data. However, it correctly implements and mandates signature verification using
stripe.Webhook.construct_eventto ensure data authenticity. - Ingestion points: The
webhook()endpoint inSKILL.mdaccepts external POST requests containing JSON payloads. - Boundary markers: Not applicable, as the data is processed programmatically rather than being directly interpolated into an LLM prompt.
- Capability inventory: The logic is restricted to payment processing, database updates, and order fulfillment; no arbitrary command execution or dangerous file system operations are present.
- Sanitization: High-quality sanitization is provided via the official Stripe SDK's signature verification method.
Audit Metadata