stripe-best-practices

Pass

Audited by Gen Agent Trust Hub on May 20, 2026

Risk Level: SAFE
Full Analysis
  • Secure Secret Management: The skill emphasizes proper handling of sensitive credentials, explicitly advising against hardcoding API keys and recommending the use of secure vaults (e.g., AWS Secrets Manager, HashiCorp Vault) or restricted environment variables.
  • Least Privilege Principle: It guides users to prefer Restricted API Keys (RAKs) with minimum necessary permissions over full secret keys, which is a key security best practice to limit the potential impact of a key compromise.
  • Integration Integrity: The guidance correctly identifies and warns against deprecated APIs (like the Charges API or legacy account types) in favor of modern, secure alternatives like Checkout Sessions and Accounts v2.
  • Webhook and CSRF Protection: Clear instructions are provided for verifying webhook signatures to prevent spoofing and using state parameters in OAuth flows to mitigate Cross-Site Request Forgery (CSRF) attacks.
  • Official Resource References: All external links and documentation references point exclusively to official Stripe domains (docs.stripe.com, dashboard.stripe.com, support.stripe.com), ensuring users access authoritative and safe information.
Audit Metadata
Risk Level
SAFE
Analyzed
May 20, 2026, 05:15 AM
Security Audit — agent-trust-hub — stripe-best-practices