stripe-dispute
Pass
Audited by Gen Agent Trust Hub on May 5, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses
curlto interact with Stripe API endpoints for retrieving dispute, charge, and customer details, and for uploading evidence files. - [COMMAND_EXECUTION]: Employs
node -eto execute a hardcoded JavaScript snippet that uses the Playwright library to capture a website as a PDF. - [COMMAND_EXECUTION]: Uses
mkdir -pto create local directories for storing evidence, with the folder name partially derived from customer names retrieved from external APIs. - [EXTERNAL_DOWNLOADS]: Downloads PDF invoices from Stripe and navigates to user-provided URLs to capture cancellation and refund policies.
- [DATA_EXFILTRATION]: Reads sensitive business data from an application database (using
DATABASE_URL) and customer financial data from the Stripe API to compile evidence packages that are subsequently uploaded to Stripe. This is the core functionality of the skill. - [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection as it processes untrusted data from the Stripe API and application database.
- Ingestion points: Data is ingested from Stripe API responses (dispute details, customer names, billing info) and SQL query results (user profiles, activity logs, project names).
- Boundary markers: No specific boundary markers or instruction-guarding delimiters are used when interpolating this data into rebuttal templates or activity logs.
- Capability inventory: The skill has capabilities for network communication (Stripe API), local file system modification (writing PDFs and creating directories), and shell command execution.
- Sanitization: There is no evidence of sanitization or escaping applied to external data before it is used to generate rebuttal text or HTML for the activity logs.
Audit Metadata