stripe-best-practices
Pass
Audited by Gen Agent Trust Hub on Apr 16, 2026
Risk Level: SAFE
Full Analysis
- Secure API Key Management: The skill explicitly instructs against hardcoding secret keys in source code and recommends using environment variables or dedicated secret vaults. It identifies common patterns like embedding keys directly as anti-patterns and provides clear remediation steps.
- Promotion of Least Privilege: It strongly recommends using Restricted API Keys (RAKs) over standard secret keys, emphasizing the principle of least privilege to limit potential impact if a key is compromised.
- Webhook Security Guidance: The instructions emphasize the necessity of verifying webhook signatures using Stripe's signing secret to prevent spoofing and ensure request integrity.
- Trusted Documentation References: All external links point directly to official Stripe domains, including documentation, support, and the management dashboard, providing a secure path for developers to follow.
- Connect and Liability Awareness: The skill provides educational context regarding financial liability for different Connect account types and recommends Stripe-hosted onboarding to minimize the need for platforms to handle sensitive PII.
Audit Metadata