Use when you have a written implementation plan to execute in a separate session with review checkpoints
check-stripe
2
1
# Install this skill:
npx skills add phrazzld/claude-config --skill "check-stripe"
Install specific skill from multi-skill repository
# Description
|
# SKILL.md
name: check-stripe
description: |
Audit Stripe integration: configuration, webhooks, subscription logic, security.
Outputs structured findings. Use log-stripe-issues to create issues.
Invoke for: Stripe audit, payment review, subscription analysis.
/check-stripe
Audit Stripe integration. Output findings as structured report.
What This Does
- Check Stripe configuration (env vars, SDK)
- Audit webhook setup and handling
- Review subscription logic
- Check security practices
- Verify test/production separation
- Output prioritized findings (P0-P3)
This is a primitive. It only investigates and reports. Use /log-stripe-issues to create GitHub issues or /fix-stripe to fix.
Process
1. Configuration Check
# Stripe SDK installed?
grep -q "stripe" package.json 2>/dev/null && echo "β Stripe SDK" || echo "β Stripe SDK not installed"
# Environment variables
[ -n "$STRIPE_SECRET_KEY" ] || grep -q "STRIPE_SECRET_KEY" .env.local 2>/dev/null && echo "β STRIPE_SECRET_KEY" || echo "β STRIPE_SECRET_KEY missing"
[ -n "$STRIPE_WEBHOOK_SECRET" ] || grep -q "STRIPE_WEBHOOK_SECRET" .env.local 2>/dev/null && echo "β STRIPE_WEBHOOK_SECRET" || echo "β STRIPE_WEBHOOK_SECRET missing"
[ -n "$NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY" ] || grep -q "STRIPE_PUBLISHABLE_KEY" .env.local 2>/dev/null && echo "β Publishable key" || echo "β Publishable key missing"
# Test vs Production keys
grep "STRIPE_SECRET_KEY" .env.local 2>/dev/null | grep -q "sk_test" && echo "β Using test key (dev)" || echo "β Check key type"
2. Webhook Audit
# Webhook endpoint exists?
find . -path "*/api/*webhook*" -name "route.ts" 2>/dev/null | head -3
# Webhook signature verification?
grep -rE "constructEvent|stripe\.webhooks\.constructEvent" --include="*.ts" . 2>/dev/null | grep -v node_modules | head -3
# Webhook event handling?
grep -rE "checkout\.session\.completed|invoice\.paid|customer\.subscription" --include="*.ts" . 2>/dev/null | grep -v node_modules | head -5
3. Security Check
# Hardcoded keys?
grep -rE "sk_live_|sk_test_|pk_live_|pk_test_" --include="*.ts" --include="*.tsx" . 2>/dev/null | grep -v node_modules | grep -v ".env"
# Secret key exposure?
grep -rE "STRIPE_SECRET_KEY" --include="*.tsx" . 2>/dev/null | grep -v node_modules
# Proper server-side usage?
grep -rE "stripe\." --include="*.tsx" . 2>/dev/null | grep -v node_modules | grep -v "loadStripe" | head -5
4. Subscription Logic
# Subscription status handling?
grep -rE "subscription\.status|active|canceled|past_due|trialing" --include="*.ts" . 2>/dev/null | grep -v node_modules | head -5
# Customer portal?
grep -rE "createBillingPortalSession|billing.*portal" --include="*.ts" . 2>/dev/null | grep -v node_modules | head -3
# Price/product IDs?
grep -rE "price_|prod_" --include="*.ts" . 2>/dev/null | grep -v node_modules | head -5
5. CLI Profile Check
# Stripe CLI configured?
command -v stripe >/dev/null && echo "β Stripe CLI installed" || echo "β Stripe CLI not installed"
# Check profiles
stripe config --list 2>/dev/null | head -5 || echo "Stripe CLI not configured"
6. Deep Audit
Spawn stripe-auditor agent for comprehensive review:
- Checkout session parameters
- Subscription creation patterns
- Error handling in payment flows
- Idempotency key usage
- Customer creation/retrieval
Output Format
## Stripe Audit
### P0: Critical (Payment Failures)
- STRIPE_WEBHOOK_SECRET missing - Webhooks unverified (security risk)
- Hardcoded test key in production code
### P1: Essential (Must Fix)
- Webhook signature not verified - Security vulnerability
- No customer portal configured - Users can't manage subscriptions
- Subscription status not checked on protected routes
- Missing STRIPE_SECRET_KEY in production env
### P2: Important (Should Fix)
- No idempotency keys on payment operations
- Subscription cancellation not handled gracefully
- No retry logic on transient Stripe errors
- Stripe CLI not using profiles (sandbox vs production)
### P3: Nice to Have
- Consider adding Stripe Tax
- Consider adding usage-based billing
- Add subscription analytics dashboard
## Current Status
- SDK: Installed
- Webhooks: Configured but unverified
- Subscriptions: Basic implementation
- Security: Issues found
- Test/Prod separation: Not enforced
## Summary
- P0: 2 | P1: 4 | P2: 4 | P3: 3
- Recommendation: Fix webhook verification and add customer portal
Priority Mapping
| Gap | Priority |
|---|---|
| Missing webhook secret | P0 |
| Hardcoded keys | P0 |
| Webhook verification missing | P1 |
| No customer portal | P1 |
| Subscription status not checked | P1 |
| No idempotency keys | P2 |
| Poor error handling | P2 |
| Missing CLI profiles | P2 |
| Advanced features | P3 |
Related
/log-stripe-issues- Create GitHub issues from findings/fix-stripe- Fix Stripe issues/stripe- Full Stripe lifecycle management/stripe-audit- Comprehensive Stripe audit/stripe-health- Webhook health diagnostics
# Related Skills
Use when starting any conversation - establishes how to find and use skills, requiring Skill...
|
|
# Supported AI Coding Agents
This skill is compatible with the SKILL.md standard and works with all major AI coding agents:
Amp
Antigravity
Claude Code
Clawdbot
Codex
Cursor
Droid
Gemini CLI
GitHub Copilot
Goose
Kilo Code
Kiro CLI
OpenCode
Roo Code
Trae
Windsurf
Learn more about the SKILL.md standard and how to use these skills with your preferred AI coding agent.