Is felipeoff/stripe-cli-skill safe?

https://github.com/openclaw/skills/tree/main/skills/felipeoff/stripe-cli-skill

99
SAFE

This is a well-designed Stripe CLI wrapper skill that follows security best practices with sandbox-first operations, localhost-only webhook forwarding, and clear security guardrails. The included shell scripts are transparent and safe, serving legitimate development purposes.

Category Scores

Prompt Injection 100/100 · 30%
Data Exfiltration 95/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 95/100 · 5%

Findings (2)

LOW Sensitive file system access during installation -5

During skill installation, sensitive files including .env, SSH keys, and AWS credentials were accessed by system processes. However, files were not modified and canary integrity was maintained, suggesting normal SSH/system behavior rather than malicious access.

INFO API interaction capabilities -5

Skill enables interaction with Stripe APIs and webhook forwarding, which carries inherent risks if misused. However, skill implements security guardrails including localhost-only forwarding restrictions and sandbox-first approach.