Trust Assessment
stripe-integration received a trust score of 71/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 0 critical, 1 high, 2 medium, and 0 low severity. Key findings include Hardcoded Stripe Test API Key, Hardcoded Stripe Webhook Endpoint Secret.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 11, 2026 (commit 5d65aa10). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Hardcoded Stripe Webhook Endpoint Secret The Stripe webhook endpoint secret (`whsec_...`) is hardcoded in the webhook handling example. This secret is crucial for verifying the authenticity and integrity of incoming Stripe webhooks. Hardcoding it makes the secret easily discoverable and compromises the security of webhook processing, potentially allowing attackers to send forged webhook events that could manipulate application state or financial records. Store the webhook endpoint secret in an environment variable or a secure secret management system. Load it dynamically at runtime. Ensure it is never committed to version control. This is a critical secret for preventing webhook spoofing. | Static | SKILL.md:183 | |
| MEDIUM | Hardcoded Stripe Test API Key The Stripe API key is hardcoded directly in the code snippets. While the examples use a test key (`sk_test_...`), hardcoding API keys is a critical security anti-pattern. In a production environment, this would expose sensitive credentials, allowing unauthorized access to the Stripe account. Even for test keys, it sets a poor precedent and can lead to accidental exposure of production keys if the pattern is followed. Store API keys in environment variables, a secure configuration management system, or a secret manager (e.g., AWS Secrets Manager, HashiCorp Vault) and load them at runtime. Never commit sensitive keys directly into source code. Update all instances where `stripe.api_key` is set to retrieve the key from a secure source. | Static | SKILL.md:49 | |
| MEDIUM | Hardcoded Stripe Test API Key The Stripe API key is hardcoded directly in the code snippets. While the examples use a test key (`sk_test_...`), hardcoding API keys is a critical security anti-pattern. In a production environment, this would expose sensitive credentials, allowing unauthorized access to the Stripe account. Even for test keys, it sets a poor precedent and can lead to accidental exposure of production keys if the pattern is followed. Store API keys in environment variables, a secure configuration management system, or a secret manager (e.g., AWS Secrets Manager, HashiCorp Vault) and load them at runtime. Never commit sensitive keys directly into source code. Update all instances where `stripe.api_key` is set to retrieve the key from a secure source. | Static | SKILL.md:268 |
Scan History
Embed Code
[](https://skillshield.io/report/2aa836c3de6f11d0)
Powered by SkillShield