stripe-link-cli

Warn

Audited by Snyk on Jun 16, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.90). The skill requires and explicitly suggests running the external @stripe/link-cli package (https://github.com/stripe/link-cli and via npm/npx commands like "npm install -g @stripe/link-cli" or "npx @stripe/link-cli"), which, when invoked at runtime, fetches and executes remote code that the skill relies on.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). The skill explicitly wraps Stripe's Link CLI (@stripe/link-cli) and provides commands to create and execute spend requests and payment operations: e.g., payment-methods list, spend-request create (with amount/line-item/--request-approval), spend-request retrieve (returning card credentials), and link-cli mpp pay to submit payment to MPP merchants. It also supports Shared Payment Tokens (SPT) and one-time virtual cards and can run as an MCP server to accept commands over stdio. These are specific, purpose-built payment/transaction operations (not generic tooling) that directly enable moving money or authorizing payments (even though spends require user approval). Therefore this skill grants Direct Financial Execution authority.

Issues (2)

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

W009
MEDIUM

Direct money access capability detected (payment gateways, crypto, banking).

Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 16, 2026, 02:27 AM
Issues
2
Security Audit — snyk — stripe-link-cli