Is stripe-api safe?

https://clawhub.ai/byungkyu/stripe-api

78
CAUTION

This skill is a documentation-only Stripe API reference with no executable code or install-time risks. However, its fundamental architecture routes all Stripe API traffic—including payment data, customer PII, and financial records—through a third-party proxy (gateway.maton.ai) rather than directly to Stripe. Users must fully trust the Maton service as an intermediary. The skill also contains executable code patterns that an agent may run without explicit confirmation, and cross-references another skill that could expand the proxy surface.

Category Scores

Prompt Injection 72/100 · 30%
Data Exfiltration 68/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (9)

HIGH All Stripe traffic proxied through third-party gateway -22

Every API call is routed through gateway.maton.ai instead of directly to api.stripe.com. The gateway operator (Maton) has full access to all request and response data including customer PII, payment details, subscription information, and financial records. Users must trust Maton as an intermediary for all their Stripe operations.

MEDIUM API key transmitted to third-party on every request -10

The MATON_API_KEY environment variable is sent as a Bearer token to maton.ai servers on every API call. This key grants access to the user's Maton account and all connected services, not just Stripe.

MEDIUM Cross-skill reference may trigger unwanted skill installation -13

The skill description explicitly references another skill URL: 'For other third party apps, use the api-gateway skill (https://clawhub.ai/byungkyu/api-gateway)'. An agent may attempt to install this additional skill without explicit user consent, expanding the attack surface.

MEDIUM Executable code blocks encourage agent to run arbitrary commands -15

SKILL.md contains numerous Python heredoc code blocks (python <<'EOF' ... EOF) that an LLM agent would be likely to execute directly. While the code itself targets legitimate Stripe endpoints, the pattern trains the agent to execute embedded code from skill files, which could be exploited in a supply chain attack via a future skill update.

LOW OAuth tokens managed by third party reduce user control -15

OAuth connection management (create, delete, list) is handled entirely through ctrl.maton.ai. Users cannot manage their own OAuth tokens directly with Stripe, creating a dependency on the Maton service and reducing the user's ability to audit or revoke access.

LOW Troubleshooting section instructs agent to echo secrets -5

The troubleshooting section includes 'echo $MATON_API_KEY' as a diagnostic step. If an agent follows this instruction, the API key would be displayed in the conversation output, potentially visible in logs or screenshots.

INFO No executable install artifacts 0

The skill contains no package.json scripts, git hooks, submodules, symlinks, or executable files. It is purely a markdown documentation file with metadata.

INFO Clean install with no side effects 0

Installation produced no network activity, no process execution, no filesystem changes outside the skill directory, and no firewall-blocked connections.

INFO Skill ecosystem lock-in pattern -30

The skill is part of a broader Maton ecosystem (gateway.maton.ai, ctrl.maton.ai, connect.maton.ai) and references sibling skills, suggesting a pattern where multiple skills route different SaaS APIs through the same proxy infrastructure.