external-integration-patterns

Provides patterns for reliable integration with external services like Stripe and Sendgrid, ensuring observability and error handling.

Install this skill

or

0/100

Security score

The external-integration-patterns skill was audited on Feb 9, 2026 and we found 36 security issues across 4 threat categories. Review the findings below before installing.

Categories Tested

Security Issues

medium line 39

Template literal with variable interpolation in command context

SourceSKILL.md

39	throw new Error(`Missing required env var: ${key}`);

medium line 42

Template literal with variable interpolation in command context

SourceSKILL.md

42	throw new Error(`${key} has trailing whitespace — check dashboard for invisible characters`);

medium line 252

Template literal with variable interpolation in command context

SourceSKILL.md

252

```bash

medium line 272

Curl to non-GitHub URL

SourceSKILL.md

272	HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" http://localhost:3000/api/health)

medium line 14

Webhook reference - potential data exfiltration

SourceSKILL.md

14	- File path contains `webhook`, `api/`, `services/`

medium line 18

Webhook reference - potential data exfiltration

SourceSKILL.md

18	- Reviewing webhook handlers

medium line 24

Webhook reference - potential data exfiltration

SourceSKILL.md

24	Silent failures are the worst failures. When Stripe doesn't deliver a webhook, when Clerk JWT validation fails, when Sendgrid rejects an email — you need to know immediately, not when a user complains

low line 34

Webhook reference - potential data exfiltration

SourceSKILL.md

34	const REQUIRED = ['SERVICE_API_KEY', 'SERVICE_WEBHOOK_SECRET'];

medium line 120

Webhook reference - potential data exfiltration

SourceSKILL.md

120	### 4. Webhook Reliability

medium line 122

Webhook reference - potential data exfiltration

SourceSKILL.md

122	Webhooks are inherently unreliable. Build for this reality.

low line 125

Webhook reference - potential data exfiltration

SourceSKILL.md

125	export async function handleWebhook(req: Request) {

low line 132

Webhook reference - potential data exfiltration

SourceSKILL.md

132	event = stripe.webhooks.constructEvent(body, sig, process.env.STRIPE_WEBHOOK_SECRET!);

low line 136

Webhook reference - potential data exfiltration

SourceSKILL.md

136	source: 'webhook',

low line 147

Webhook reference - potential data exfiltration

SourceSKILL.md

147	source: 'webhook',

low line 155

Webhook reference - potential data exfiltration

SourceSKILL.md

155	await db.insert(webhookEvents).values({

medium line 173

Webhook reference - potential data exfiltration

SourceSKILL.md

173	Don't rely 100% on webhooks. Periodically sync state as a backup.

medium line 204

Webhook reference - potential data exfiltration

SourceSKILL.md

204	Don't wait for webhook to grant access. Verify payment immediately after redirect.

low line 219

Webhook reference - potential data exfiltration

SourceSKILL.md

219	// Webhook will come later as backup

medium line 234

Webhook reference - potential data exfiltration

SourceSKILL.md

234	### Webhook Configuration

medium line 235

Webhook reference - potential data exfiltration

SourceSKILL.md

235	- [ ] Webhook URL uses canonical domain (no redirects)

low line 260

Webhook reference - potential data exfiltration

SourceSKILL.md

260	for var in ${SERVICE}_API_KEY ${SERVICE}_WEBHOOK_SECRET; do

low line 290

Webhook reference - potential data exfiltration

SourceSKILL.md

290	// ❌ BAD: Trusting webhook without verification

low line 293

Webhook reference - potential data exfiltration

SourceSKILL.md

293	// ❌ BAD: 100% reliance on webhooks

low line 294

Webhook reference - potential data exfiltration

SourceSKILL.md

294	// If webhook fails, user never gets access

medium line 303

Webhook reference - potential data exfiltration

SourceSKILL.md

303	- Use `stripe.webhooks.constructEvent()` for signature verification

medium line 304

Webhook reference - potential data exfiltration

SourceSKILL.md

304	- Check Stripe Dashboard > Developers > Webhooks for delivery logs

medium line 308

Webhook reference - potential data exfiltration

SourceSKILL.md

308	- `CONVEX_WEBHOOK_TOKEN` must match exactly between Clerk and Convex

medium line 310

Webhook reference - potential data exfiltration

SourceSKILL.md

310	- Webhook URL must not redirect

medium line 314

Webhook reference - potential data exfiltration

SourceSKILL.md

314	- Inbound parse webhooks need signature verification

low line 37

Access to .env file

SourceSKILL.md

37	const value = process.env[key];

low line 47

Access to .env file

SourceSKILL.md

47	export const apiKey = process.env.SERVICE_API_KEY!;

low line 132

Access to .env file

SourceSKILL.md

132	event = stripe.webhooks.constructEvent(body, sig, process.env.STRIPE_WEBHOOK_SECRET!);

low line 178

Access to .env file

SourceSKILL.md

178	const stripe = new Stripe(process.env.STRIPE_SECRET_KEY!);

medium line 229

Access to .env file

SourceSKILL.md

229	- [ ] All required vars in `.env.example`

low line 285

Access to .env file

SourceSKILL.md

285	const apiKey = process.env.API_KEY \|\| '';

low line 272

External URL reference

SourceSKILL.md

272	HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" http://localhost:3000/api/health)

Scanned on Feb 9, 2026

View Security Dashboard

Installation guide →

GitHub Stars 106

Rate this skill

Categorymarketing

UpdatedMay 21, 2026

openclaw api backend growth-marketer product-marketer backend-developer data-analyst technical-pm stripe sendgrid marketing development data analytics product

majiayu000/claude-skill-registry