stripe-best-practices
Pass
Audited by Gen Agent Trust Hub on Apr 17, 2026
Risk Level: SAFE
Full Analysis
- Comprehensive Security Guidance: The skill includes a dedicated security reference that correctly identifies critical integration risks. It provides actionable advice on protecting against CSRF attacks in OAuth flows, verifying webhook signatures to prevent spoofing, and using restricted API keys (RAKs) to follow the principle of least privilege.
- Secure Credential Management: The instructions strongly advise against hardcoding API keys in source code. It recommends using secrets vaults or environment variables and provides guidance on rotating keys and implementing pre-commit hooks to prevent accidental exposure.
- Modern API Promotion: The skill actively discourages the use of legacy and deprecated APIs (such as the Charges API, Sources API, and Card Element) in favor of modern, more secure alternatives like PaymentIntents, Checkout Sessions, and the Payment Element.
- Safe Vendor Integration: All external links point to official Stripe domains (
docs.stripe.com,support.stripe.com,dashboard.stripe.com), ensuring that developers are guided to trusted and authoritative resources for their integration decisions.
Audit Metadata