stripe-integration
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill interacts with external data sources such as project files and webhook payloads, creating an indirect prompt injection surface where malicious instructions could be embedded in the data processed by the agent.\n
- Ingestion points: The skill reads codebase files using Read, Grep, and Glob tools and handles Stripe webhook routes (e.g.,
src/app/api/stripe/webhook/route.ts).\n - Boundary markers: No specific boundary markers or "ignore embedded instructions" warnings are defined for interpolated data.\n
- Capability inventory: The skill utilizes high-privilege tools including Bash, Write, and Edit.\n
- Sanitization: The instructions explicitly mandate input validation and webhook signature verification as mitigation measures.\n- [COMMAND_EXECUTION]: The skill facilitates the use of the
stripeCLI for local development, specifically for forwarding webhooks and triggering test events.\n- [CREDENTIALS_UNSAFE]: The skill references environment variables (e.g.,STRIPE_SECRET_KEY) and provides standard Stripe test card numbers. It includes strong warnings against hardcoding production keys (sk_live_).\n- [EXTERNAL_DOWNLOADS]: References official Stripe CLI and API services, which are recognized as well-known and trusted technology providers.
Audit Metadata