stripe-connect
Facilitates the integration of Stripe Connect for marketplace projects using Supabase and React/Flutter, streamlining payment processes.
Install this skill
Security score
The stripe-connect skill was audited on Jun 7, 2026 and we found 26 security issues across 4 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 401 | ```json |
Webhook reference - potential data exfiltration
| 137 | supabase/functions/stripe-webhook/index.ts |
Webhook reference - potential data exfiltration
| 218 | - `stripe-webhook/index.ts` — verificación firma con `constructEventAsync`, routing platform vs connect por header, idempotencia con tabla `stripe_processed_events` |
Webhook reference - potential data exfiltration
| 315 | 2. Handler webhook sin `constructEvent`/`constructEventAsync` |
Webhook reference - potential data exfiltration
| 379 | - `infra/stripe/README.md` — checklist 4-6 pasos: envvars exactas (`STRIPE_SECRET_KEY`, `STRIPE_WEBHOOK_SECRET_PLATFORM`, `STRIPE_WEBHOOK_SECRET_CONNECT`, `STRIPE_PUBLISHABLE_KEY`, `DEFAULT_APPLICATIO |
Webhook reference - potential data exfiltration
| 454 | STRIPE_WEBHOOK_SECRET_PLATFORM: env.STRIPE_WEBHOOK_SECRET_PLATFORM, |
Webhook reference - potential data exfiltration
| 455 | STRIPE_WEBHOOK_SECRET_CONNECT: env.STRIPE_WEBHOOK_SECRET_CONNECT, |
Webhook reference - potential data exfiltration
| 475 | expected_names: ["STRIPE_SECRET_KEY", "STRIPE_WEBHOOK_SECRET_PLATFORM", |
Webhook reference - potential data exfiltration
| 476 | "STRIPE_WEBHOOK_SECRET_CONNECT", "DEFAULT_APPLICATION_FEE_PERCENT"] |
Webhook reference - potential data exfiltration
| 485 | STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET_PLATFORM, |
Webhook reference - potential data exfiltration
| 486 | STRIPE_WEBHOOK_SECRET_CONNECT, DEFAULT_APPLICATION_FEE_PERCENT |
Webhook reference - potential data exfiltration
| 497 | STRIPE_WEBHOOK_SECRET_PLATFORM = <from stripe listen output> |
Webhook reference - potential data exfiltration
| 498 | STRIPE_WEBHOOK_SECRET_CONNECT = <from stripe listen output> |
Webhook reference - potential data exfiltration
| 518 | ├── UC-306.feature # Webhook firma + idempotencia (usa stripe trigger --replay) |
Webhook reference - potential data exfiltration
| 554 | 3. Arranca el relay de webhooks (otra terminal): |
Webhook reference - potential data exfiltration
| 555 | stripe listen --forward-to http://localhost:54321/functions/v1/stripe-webhook |
Webhook reference - potential data exfiltration
| 562 | 5. Copia los 4 secrets (STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET_PLATFORM, |
Webhook reference - potential data exfiltration
| 563 | STRIPE_WEBHOOK_SECRET_CONNECT, DEFAULT_APPLICATION_FEE_PERCENT) al |
Webhook reference - potential data exfiltration
| 630 | - Stripe Docs: [Connect](https://docs.stripe.com/connect) · [Direct charges](https://docs.stripe.com/connect/direct-charges) · [Subscriptions embedded](https://docs.stripe.com/billing/subscriptions/bu |
Access to .env file
| 314 | 1. `sk_live_*` en código (no en `.env*` ni `.md`) |
Access to .env file
| 496 | STRIPE_SECRET_KEY = <from .env> |
External URL reference
| 318 | 5. URL de Payment Link `https://buy.stripe.com/` |
External URL reference
| 405 | "url": "https://mcp.stripe.com/v1", |
External URL reference
| 443 | usuario un PAT válido y reintentar. Link: <https://supabase.com/dashboard/account/tokens>. |
External URL reference
| 555 | stripe listen --forward-to http://localhost:54321/functions/v1/stripe-webhook |
External URL reference
| 631 | - Stripe MCP oficial: [mcp.stripe.com](https://mcp.stripe.com/v1) |