playbooks

home / skills / phrazzld / claude-config / check-stripe

check-stripe skill

/skills/check-stripe

This skill audits Stripe integration across configuration, webhooks, subscription logic, and security, delivering structured findings to guide fixes.

npx playbooks add skill phrazzld/claude-config --skill check-stripe

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
5.7 KB
---
name: check-stripe
description: |
  Audit Stripe integration: configuration, webhooks, subscription logic, security.
  Outputs structured findings. Use log-stripe-issues to create issues.
  Invoke for: Stripe audit, payment review, subscription analysis.
effort: high
---

# /check-stripe

Audit Stripe integration. Output findings as structured report.

## What This Does

1. Check Stripe configuration (env vars, SDK)
2. Audit webhook setup and handling
3. Review subscription logic
4. Check security practices
5. Verify test/production separation
6. Output prioritized findings (P0-P3)

**This is a primitive.** It only investigates and reports. Use `/log-stripe-issues` to create GitHub issues or `/fix-stripe` to fix.

## Process

### 1. Configuration Check

```bash
# Stripe SDK installed?
grep -q "stripe" package.json 2>/dev/null && echo "✓ Stripe SDK" || echo "✗ Stripe SDK not installed"

# Environment variables
[ -n "$STRIPE_SECRET_KEY" ] || grep -q "STRIPE_SECRET_KEY" .env.local 2>/dev/null && echo "✓ STRIPE_SECRET_KEY" || echo "✗ STRIPE_SECRET_KEY missing"
[ -n "$STRIPE_WEBHOOK_SECRET" ] || grep -q "STRIPE_WEBHOOK_SECRET" .env.local 2>/dev/null && echo "✓ STRIPE_WEBHOOK_SECRET" || echo "✗ STRIPE_WEBHOOK_SECRET missing"
[ -n "$NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY" ] || grep -q "STRIPE_PUBLISHABLE_KEY" .env.local 2>/dev/null && echo "✓ Publishable key" || echo "✗ Publishable key missing"

# Test vs Production keys
grep "STRIPE_SECRET_KEY" .env.local 2>/dev/null | grep -q "sk_test" && echo "✓ Using test key (dev)" || echo "⚠ Check key type"
```

### 2. Webhook Audit

```bash
# Webhook endpoint exists?
find . -path "*/api/*webhook*" -name "route.ts" 2>/dev/null | head -3

# Webhook signature verification?
grep -rE "constructEvent|stripe\.webhooks\.constructEvent" --include="*.ts" . 2>/dev/null | grep -v node_modules | head -3

# Webhook event handling?
grep -rE "checkout\.session\.completed|invoice\.paid|customer\.subscription" --include="*.ts" . 2>/dev/null | grep -v node_modules | head -5
```

### 3. Security Check

```bash
# Hardcoded keys?
grep -rE "sk_live_|sk_test_|pk_live_|pk_test_" --include="*.ts" --include="*.tsx" . 2>/dev/null | grep -v node_modules | grep -v ".env"

# Secret key exposure?
grep -rE "STRIPE_SECRET_KEY" --include="*.tsx" . 2>/dev/null | grep -v node_modules

# Proper server-side usage?
grep -rE "stripe\." --include="*.tsx" . 2>/dev/null | grep -v node_modules | grep -v "loadStripe" | head -5
```

### 4. Subscription Logic

```bash
# Subscription status handling?
grep -rE "subscription\.status|active|canceled|past_due|trialing" --include="*.ts" . 2>/dev/null | grep -v node_modules | head -5

# Customer portal?
grep -rE "createBillingPortalSession|billing.*portal" --include="*.ts" . 2>/dev/null | grep -v node_modules | head -3

# Price/product IDs?
grep -rE "price_|prod_" --include="*.ts" . 2>/dev/null | grep -v node_modules | head -5
```

### 5. CLI Profile Check

```bash
# Stripe CLI configured?
command -v stripe >/dev/null && echo "✓ Stripe CLI installed" || echo "✗ Stripe CLI not installed"

# Check profiles
stripe config --list 2>/dev/null | head -5 || echo "Stripe CLI not configured"
```

### 6. Local Dev Webhook Sync Check

```bash
# Does pnpm dev auto-start stripe listener?
if grep -q "stripe.*listen" package.json 2>/dev/null; then
  echo "✓ Auto-starts stripe listen"

  # Is there a sync script?
  if [ -f scripts/dev-stripe.sh ] && grep -q "print-secret" scripts/dev-stripe.sh 2>/dev/null; then
    echo "✓ Webhook secret auto-sync configured"
  else
    echo "⚠ No webhook secret auto-sync - will get 400 errors after CLI restart"
  fi
else
  echo "○ Manual stripe listen (no auto-sync needed)"
fi
```

### 7. Deep Audit

Spawn `stripe-auditor` agent for comprehensive review:
- Checkout session parameters
- Subscription creation patterns
- Error handling in payment flows
- Idempotency key usage
- Customer creation/retrieval

## Output Format

```markdown
## Stripe Audit

### P0: Critical (Payment Failures)
- STRIPE_WEBHOOK_SECRET missing - Webhooks unverified (security risk)
- Hardcoded test key in production code

### P1: Essential (Must Fix)
- Webhook signature not verified - Security vulnerability
- No customer portal configured - Users can't manage subscriptions
- Subscription status not checked on protected routes
- Missing STRIPE_SECRET_KEY in production env

### P2: Important (Should Fix)
- No idempotency keys on payment operations
- Subscription cancellation not handled gracefully
- No retry logic on transient Stripe errors
- Stripe CLI not using profiles (sandbox vs production)
- No auto-sync of local webhook secret - `pnpm dev` auto-starts `stripe listen` but doesn't sync the ephemeral secret to `.env.local`. After CLI restart, webhooks will return 400.

### P3: Nice to Have
- Consider adding Stripe Tax
- Consider adding usage-based billing
- Add subscription analytics dashboard

## Current Status
- SDK: Installed
- Webhooks: Configured but unverified
- Subscriptions: Basic implementation
- Security: Issues found
- Test/Prod separation: Not enforced

## Summary
- P0: 2 | P1: 4 | P2: 4 | P3: 3
- Recommendation: Fix webhook verification and add customer portal
```

## Priority Mapping

| Gap | Priority |
|-----|----------|
| Missing webhook secret | P0 |
| Hardcoded keys | P0 |
| Webhook verification missing | P1 |
| No customer portal | P1 |
| Subscription status not checked | P1 |
| No idempotency keys | P2 |
| Poor error handling | P2 |
| Missing CLI profiles | P2 |
| No webhook secret auto-sync | P2 |
| Advanced features | P3 |

## Related

- `/log-stripe-issues` - Create GitHub issues from findings
- `/fix-stripe` - Fix Stripe issues
- `/stripe` - Full Stripe lifecycle management
- `/stripe-audit` - Comprehensive Stripe audit
- `/stripe-health` - Webhook health diagnostics

Overview

This skill audits a project's Stripe integration and produces a prioritized, structured report of findings. It inspects configuration, webhook handling, subscription logic, security practices, and test/production separation. Use its output to decide what to fix or to convert findings into GitHub issues with the companion issue-logging primitive.

How this skill works

The skill scans repository files and environment settings to detect Stripe SDK usage, presence of required environment variables, and possible hardcoded keys. It locates webhook endpoints and checks whether signatures are verified, evaluates subscription and customer flows, and looks for security anti-patterns like client-side secret usage. Results are organized into priorities (P0–P3) and returned as a concise audit report.

When to use it

  • Before deploying a project that accepts payments to catch critical configuration gaps.
  • During a security review to identify exposed secrets or unverified webhooks.
  • When implementing or refactoring subscriptions and billing flows.
  • Prior to onboarding finance or QA teams to ensure test/production separation.

Best practices

  • Keep secret keys only in server-side env vars and never commit them to code.
  • Verify webhook signatures using STRIPE_WEBHOOK_SECRET on every webhook handler.
  • Use idempotency keys for payment operations and implement retry logic for transient errors.
  • Separate test and production keys, maintain distinct Stripe CLI profiles, and auto-sync ephemeral webhook secrets for local dev.
  • Provide a customer billing portal and check subscription status on protected routes.

Example use cases

  • Run a pre-release audit to confirm webhooks are verified and no live keys are hardcoded.
  • Assess subscription handling to ensure cancellations, trials, and past-due states are enforced.
  • Validate local developer workflow: Stripe CLI install, profile config, and webhook secret auto-sync.
  • Generate a prioritized list of fixes to convert into GitHub issues via the log-issues primitive.

FAQ

Will this skill automatically fix issues it finds?

No. This skill only inspects and reports. Use the separate fix primitive to apply automated fixes.

Can it create GitHub issues from findings?

Yes — use the companion issue-logging primitive to convert audit findings into GitHub issues.