engineering-stripe-game-payments
Pass
Audited by Gen Agent Trust Hub on Mar 25, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill implements Stripe webhook signature verification using the official SDK method (
stripe.webhooks.constructEvent), preventing spoofing of payment events. - [SAFE]: Sensitive information such as API keys and webhook secrets are correctly managed via environment variables (
process.env.STRIPE_SECRET_KEY,process.env.STRIPE_WEBHOOK_SECRET) rather than being hardcoded. - [SAFE]: The code utilizes idempotency keys for checkout session creation and maintains an event log to prevent duplicate processing of the same transaction, ensuring financial integrity.
- [SAFE]: Dependencies are restricted to well-known, official libraries (
stripe,elysia). - [SAFE]: The documentation includes explicit security warnings, such as advising against storing API keys in client-side code and emphasizing server-side fulfillment logic.
Audit Metadata