010114-stripe-integration

Fail

Audited by Snyk on Jul 8, 2026

Risk Level: CRITICAL
Full Analysis

CRITICAL E005: Suspicious download URL detected in skill instructions.

  • Suspicious download URL detected (high risk: 0.80). Multiple install URLs point to packages.stripe.dev (a third-party JFrog artifact endpoint rather than stripe.com) and the RPM repo example in the inputs disables GPG verification (gpgcheck=0), which are high-risk indicators for package distribution and could be abused to deliver malware.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

  • Secret detected (high risk: 1.00). I scanned the skill files for high-entropy, literal credentials. I flagged a high-entropy token embedded in a CLI pairing URL in the install documentation because it appears to be a real-looking, random token (t=THQdJfL3x12udFkNorJL8OF1iFlN8Az1) rather than a placeholder.

I did NOT flag:

  • The pairing code "enjoy-enough-outwit-win" (references/install.md) — low-entropy, human-readable sample/code shown in an example, treated as documentation/example text.
  • Environment variable names and placeholders such as "sk_live_..." or "VERCEL_PROJECT_ID=..." — these are placeholders or variable names per the ignore rules.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). The SKILL.md is explicitly a Stripe integration guide: it documents payment APIs (Checkout Sessions, PaymentIntents, SetupIntents), Connect/platform Accounts, Treasury Financial Accounts, subscription/billing APIs, and environment variables including STRIPE_SECRET_KEY and webhook secret. These are specific, purpose-built financial APIs and credentials that enable creating charges, saving payment methods, managing accounts, and interacting with financial accounts — i.e., direct financial execution capabilities.

Issues (3)

E005
CRITICAL

Suspicious download URL detected in skill instructions.

W008
HIGH

Secret detected in skill content (API keys, tokens, passwords).

W009
MEDIUM

Direct money access capability detected (payment gateways, crypto, banking).

Audit Metadata
Risk Level
CRITICAL
Analyzed
Jul 8, 2026, 12:19 PM
Issues
3
Security Audit — snyk — 010114-stripe-integration