Security Audit

stripe-cli

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned 3 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

stripe-cli received a trust score of 55/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 5 findings: 2 critical, 1 high, 1 medium, and 1 low severity. Key findings include Missing required field: name, Node lockfile missing, Command Injection in `jq` filter via user-controlled input.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 25/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

93%

Dependency Graph

98%

LLM Behavioral Safety

25%

Behavioral Risk Signals

Network Access

2 findings

Filesystem Write

1 finding

Shell Execution

3 findings

Dynamic Code

2 findings

Excessive Permissions

1 finding

Security Findings5

Severity	Finding	Layer	Location
CRITICAL	Command Injection in `jq` filter via user-controlled input The `read_json` function in `scripts/shapescale-ext.sh`, when `jq` is available, constructs a `jq` filter using user-controlled input (`$1`). If the user provides a malicious string containing `\| system("...")` or other `jq` functions that allow external command execution, it can lead to arbitrary command injection. The `$1` argument is derived from `TEMPLATE` or `PLAN` variables, which are directly taken from command-line arguments (`$2`) provided by the user. Sanitize user-controlled input (`TEMPLATE`, `PLAN`) before using it to construct `jq` filters, or use `jq`'s `--arg` or `--argjson` features to pass values safely, preventing interpretation as part of the filter logic. For example, use `jq -r --arg path "$1" 'getpath($path \| split("."))'` if `$1` is intended as a dot-separated path.	LLM	scripts/shapescale-ext.sh:19
CRITICAL	Command Injection in `grep` pattern via user-controlled input The `read_json` function in `scripts/shapescale-ext.sh`, when `jq` is not available, uses `grep` with a pattern constructed from user-controlled input (`$1`). If the user provides a malicious string containing shell metacharacters (e.g., `"; rm -rf /; echo "`), it can lead to arbitrary command injection. The `$1` argument is derived from `TEMPLATE` or `PLAN` variables, which are directly taken from command-line arguments (`$2`) provided by the user. Avoid using `grep` for parsing structured data like JSON. If `jq` is not available, consider a more robust and secure JSON parsing library or explicitly escape all shell metacharacters in the `$1` variable before passing it to `grep`. Using `grep -F` (fixed strings) would mitigate some, but not all, injection vectors.	LLM	scripts/shapescale-ext.sh:26
HIGH	Broad access granted by Stripe API wrapper and sensitive credential handling The skill wraps the `stripe` CLI, including a generic `stripe api` command that allows arbitrary API calls to Stripe. This means the skill effectively inherits all permissions associated with the `STRIPE_SECRET_KEY`. If a highly privileged live secret key is used (as suggested by the `SKILL.md` mentioning `sk_test_your_key_here` but also implying live usage), the skill grants broad access to the Stripe account. Additionally, the skill attempts to retrieve `STRIPE_SECRET_KEY` from 1Password (`op read "op://Stripe/Secret Key"`) if not set as an environment variable. While this is an intended mechanism for credential management, it highlights the sensitive nature of the key and the broad access it enables. 1. Principle of Least Privilege: Advise users to configure the `STRIPE_SECRET_KEY` with the minimum necessary permissions for the skill's intended operations. Avoid using a highly privileged key (e.g., a root secret key) if only specific actions are needed. 2. Restrict `api` command: If the skill's functionality can be achieved without arbitrary API calls, consider removing or restricting the `stripe api` command to a predefined set of safe operations. 3. Secure Credential Storage: Ensure that the 1Password vault and the `op` CLI are configured with appropriate access controls and security best practices.	LLM	scripts/stripe.sh:10
MEDIUM	Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter.	Static	skills/kesslerio/stripe-cli/SKILL.md:1
LOW	Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution.	Dependencies	skills/kesslerio/stripe-cli/package.json

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/af07f2d85d9e2df6.svg)](https://skillshield.io/report/af07f2d85d9e2df6)