stripe-link-cli
Warn
Audited by Snyk on Jun 16, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill requires and explicitly suggests running the external @stripe/link-cli package (https://github.com/stripe/link-cli and via npm/npx commands like "npm install -g @stripe/link-cli" or "npx @stripe/link-cli"), which, when invoked at runtime, fetches and executes remote code that the skill relies on.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill explicitly wraps Stripe's Link CLI (@stripe/link-cli) and provides commands to create and execute spend requests and payment operations: e.g., payment-methods list, spend-request create (with amount/line-item/--request-approval), spend-request retrieve (returning card credentials), and link-cli mpp pay to submit payment to MPP merchants. It also supports Shared Payment Tokens (SPT) and one-time virtual cards and can run as an MCP server to accept commands over stdio. These are specific, purpose-built payment/transaction operations (not generic tooling) that directly enable moving money or authorizing payments (even though spends require user approval). Therefore this skill grants Direct Financial Execution authority.
Issues (2)
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata