payment-integration

Guides users through implementing secure payment processing with Stripe, LemonSqueezy, and Paddle, covering subscriptions and webhooks.

Install this skill

or

0/100

Security score

The payment-integration skill was audited on Feb 28, 2026 and we found 98 security issues across 4 threat categories. Review the findings below before installing.

Categories Tested

Security Issues

medium line 631

Template literal with variable interpolation in command context

SourceSKILL.md

631	console.log(`Unhandled event type: ${event.type}`);

medium line 783

Template literal with variable interpolation in command context

SourceSKILL.md

783	console.log(`Unhandled event: ${event.meta.event_name}`);

medium line 895

Template literal with variable interpolation in command context

SourceSKILL.md

895	console.log(`Event ${eventId} already processed, skipping`);

medium line 1055

Template literal with variable interpolation in command context

SourceSKILL.md

1055	`https://${request.headers.get('host')}${request.nextUrl.pathname}`,

medium line 3

Webhook reference - potential data exfiltration

SourceSKILL.md

3	description: "Load PROACTIVELY when task involves payments, billing, or subscriptions. Use when user says \"add payments\", \"integrate Stripe\", \"set up subscriptions\", \"add a checkout flow\", or

medium line 7

Webhook reference - potential data exfiltration

SourceSKILL.md

7	tags: [payments, stripe, lemonsqueezy, paddle, checkout, subscriptions, webhooks]

medium line 20

Webhook reference - potential data exfiltration

SourceSKILL.md

20	This skill guides you through implementing payment processing in applications, from provider selection to webhook handling. It leverages GoodVibes precision tools for secure, production-ready payment

medium line 29

Webhook reference - potential data exfiltration

SourceSKILL.md

29	- Process payment webhooks securely

low line 48

Webhook reference - potential data exfiltration

SourceSKILL.md

48	- id: webhook-routes

low line 49

Webhook reference - potential data exfiltration

SourceSKILL.md

49	pattern: "(webhook\|payment\|checkout)"

medium line 57

Webhook reference - potential data exfiltration

SourceSKILL.md

57	- Webhook endpoints

low line 166

Webhook reference - potential data exfiltration

SourceSKILL.md

166	STRIPE_WEBHOOK_SECRET=whsec_...

low line 171

Webhook reference - potential data exfiltration

SourceSKILL.md

171	LEMONSQUEEZY_WEBHOOK_SECRET=...

low line 175

Webhook reference - potential data exfiltration

SourceSKILL.md

175	PADDLE_WEBHOOK_SECRET=...

medium line 545

Webhook reference - potential data exfiltration

SourceSKILL.md

545	### 6. Webhook Handling

medium line 547

Webhook reference - potential data exfiltration

SourceSKILL.md

547	Webhooks are critical for payment processing. They notify your application of payment events.

medium line 549

Webhook reference - potential data exfiltration

SourceSKILL.md

549	#### Stripe Webhook Handler

low line 554

Webhook reference - potential data exfiltration

SourceSKILL.md

554	- path: "src/app/api/webhooks/stripe/route.ts"

low line 567

Webhook reference - potential data exfiltration

SourceSKILL.md

567	const webhookSecret = process.env.STRIPE_WEBHOOK_SECRET;

low line 568

Webhook reference - potential data exfiltration

SourceSKILL.md

568	if (!webhookSecret) {

low line 569

Webhook reference - potential data exfiltration

SourceSKILL.md

569	throw new Error('STRIPE_WEBHOOK_SECRET is required');

low line 587

Webhook reference - potential data exfiltration

SourceSKILL.md

587	// Verify webhook signature

low line 588

Webhook reference - potential data exfiltration

SourceSKILL.md

588	event = stripe.webhooks.constructEvent(body, signature, webhookSecret);

low line 591

Webhook reference - potential data exfiltration

SourceSKILL.md

591	console.error('Webhook signature verification failed:', message);

low line 637

Webhook reference - potential data exfiltration

SourceSKILL.md

637	console.error('Webhook handler error:', message);

low line 639

Webhook reference - potential data exfiltration

SourceSKILL.md

639	{ error: 'Webhook handler failed' },

medium line 722

Webhook reference - potential data exfiltration

SourceSKILL.md

722	#### LemonSqueezy Webhook Handler

low line 727

Webhook reference - potential data exfiltration

SourceSKILL.md

727	- path: "src/app/api/webhooks/lemonsqueezy/route.ts"

low line 733

Webhook reference - potential data exfiltration

SourceSKILL.md

733	const webhookSecret = process.env.LEMONSQUEEZY_WEBHOOK_SECRET;

low line 734

Webhook reference - potential data exfiltration

SourceSKILL.md

734	if (!webhookSecret) {

low line 735

Webhook reference - potential data exfiltration

SourceSKILL.md

735	throw new Error('LEMONSQUEEZY_WEBHOOK_SECRET is required');

low line 746

Webhook reference - potential data exfiltration

SourceSKILL.md

746	// Verify webhook signature

low line 747

Webhook reference - potential data exfiltration

SourceSKILL.md

747	const hmac = crypto.createHmac('sha256', webhookSecret);

low line 753

Webhook reference - potential data exfiltration

SourceSKILL.md

753	console.error('Webhook signature verification failed');

low line 789

Webhook reference - potential data exfiltration

SourceSKILL.md

789	console.error('Webhook handler error:', message);

low line 791

Webhook reference - potential data exfiltration

SourceSKILL.md

791	{ error: 'Webhook handler failed' },

low line 797

Webhook reference - potential data exfiltration

SourceSKILL.md

797	interface LemonSqueezyWebhookData {

low line 802

Webhook reference - potential data exfiltration

SourceSKILL.md

802	async function handleOrderCreated(data: LemonSqueezyWebhookData) {

low line 812

Webhook reference - potential data exfiltration

SourceSKILL.md

812	async function handleSubscriptionCreated(data: LemonSqueezyWebhookData) {

low line 823

Webhook reference - potential data exfiltration

SourceSKILL.md

823	async function handleSubscriptionUpdated(data: LemonSqueezyWebhookData) {

low line 833

Webhook reference - potential data exfiltration

SourceSKILL.md

833	async function handleSubscriptionCancelled(data: LemonSqueezyWebhookData) {

low line 843

Webhook reference - potential data exfiltration

SourceSKILL.md

843	async function handlePaymentSuccess(data: LemonSqueezyWebhookData) {

medium line 855

Webhook reference - potential data exfiltration

SourceSKILL.md

855	#### Webhook Idempotency

medium line 857

Webhook reference - potential data exfiltration

SourceSKILL.md

857	Always implement idempotency to handle duplicate webhook deliveries:

low line 862

Webhook reference - potential data exfiltration

SourceSKILL.md

862	- path: "src/lib/webhooks/idempotency.ts"

low line 867

Webhook reference - potential data exfiltration

SourceSKILL.md

867	const existing = await db.webhookEvent.findUnique({

low line 875

Webhook reference - potential data exfiltration

SourceSKILL.md

875	await db.webhookEvent.create({

low line 889

Webhook reference - potential data exfiltration

SourceSKILL.md

889	const existing = await tx.webhookEvent.findUnique({

low line 901

Webhook reference - potential data exfiltration

SourceSKILL.md

901	await tx.webhookEvent.create({

medium line 913

Webhook reference - potential data exfiltration

SourceSKILL.md

913	Update webhook handlers to use idempotency:

low line 916

Webhook reference - potential data exfiltration

SourceSKILL.md

916	// In Stripe webhook

medium line 939

Webhook reference - potential data exfiltration

SourceSKILL.md

939	#### Stripe CLI for Webhook Testing

low line 946

Webhook reference - potential data exfiltration

SourceSKILL.md

946	- cmd: "stripe listen --forward-to localhost:3000/api/webhooks/stripe"

low line 971

Webhook reference - potential data exfiltration

SourceSKILL.md

971	## Test Webhooks

low line 973

Webhook reference - potential data exfiltration

SourceSKILL.md

973	1. Start webhook listener: `stripe listen --forward-to localhost:3000/api/webhooks/stripe`

medium line 984

Webhook reference - potential data exfiltration

SourceSKILL.md

984	Create tests for webhook handlers:

low line 989

Webhook reference - potential data exfiltration

SourceSKILL.md

989	- path: "src/__tests__/webhooks/stripe.test.ts"

low line 991

Webhook reference - potential data exfiltration

SourceSKILL.md

991	import { POST } from '@/app/api/webhooks/stripe/route';

low line 995

Webhook reference - potential data exfiltration

SourceSKILL.md

995	describe('Stripe Webhook Handler', () => {

low line 996

Webhook reference - potential data exfiltration

SourceSKILL.md

996	it('should verify webhook signature', async () => {

low line 1003

Webhook reference - potential data exfiltration

SourceSKILL.md

1003	const request = new NextRequest('http://localhost:3000/api/webhooks/stripe', {

medium line 1132

Webhook reference - potential data exfiltration

SourceSKILL.md

1132	- Webhook endpoint exists

medium line 1133

Webhook reference - potential data exfiltration

SourceSKILL.md

1133	- Webhook signature verification

low line 1186

Webhook reference - potential data exfiltration

SourceSKILL.md

1186	model WebhookEvent {

medium line 1225

Webhook reference - potential data exfiltration

SourceSKILL.md

1225	### Pattern: Webhook Retry Logic

medium line 1227

Webhook reference - potential data exfiltration

SourceSKILL.md

1227	Payment providers retry failed webhooks. Always:

medium line 1230

Webhook reference - potential data exfiltration

SourceSKILL.md

1230	- Log all webhook events

medium line 1255

Webhook reference - potential data exfiltration

SourceSKILL.md

1255	### DON'T: Skip Webhook Verification

medium line 1257

Webhook reference - potential data exfiltration

SourceSKILL.md

1257	Always verify webhook signatures. Unverified webhooks are a security risk.

medium line 1274

Webhook reference - potential data exfiltration

SourceSKILL.md

1274	### DON'T: Ignore Failed Webhooks

medium line 1276

Webhook reference - potential data exfiltration

SourceSKILL.md

1276	Monitor webhook delivery and investigate failures. Set up alerts.

medium line 1292

Webhook reference - potential data exfiltration

SourceSKILL.md

1292	- Complete webhook event reference

medium line 1302

Webhook reference - potential data exfiltration

SourceSKILL.md

1302	2. Monitor webhooks - Set up logging and alerting

medium line 1304

Webhook reference - potential data exfiltration

SourceSKILL.md

1304	4. Plan for scale - Consider rate limits, concurrent webhooks

medium line 153

Access to .env file

SourceSKILL.md

153	Create `.env.example` template:

low line 158

Access to .env file

SourceSKILL.md

158	- path: ".env.example"

low line 185

Access to .env file

SourceSKILL.md

185	pattern: "^\\.env$"

medium line 191

Access to .env file

SourceSKILL.md

191	If not found, add `.env` to `.gitignore`.

low line 210

Access to .env file

SourceSKILL.md

210	const stripeSecretKey = process.env.STRIPE_SECRET_KEY;

low line 250

Access to .env file

SourceSKILL.md

250	const appUrl = process.env.NEXT_PUBLIC_APP_URL;

low line 302

Access to .env file

SourceSKILL.md

302	const lemonSqueezyApiKey = process.env.LEMONSQUEEZY_API_KEY;

low line 317

Access to .env file

SourceSKILL.md

317	const lemonSqueezyStoreId = process.env.LEMONSQUEEZY_STORE_ID;

low line 364

Access to .env file

SourceSKILL.md

364	const priceId = process.env.STRIPE_PRICE_STARTER;

low line 375

Access to .env file

SourceSKILL.md

375	const priceId = process.env.STRIPE_PRICE_PRO;

low line 403

Access to .env file

SourceSKILL.md

403	const secretKey = process.env.STRIPE_SECRET_KEY;

low line 480

Access to .env file

SourceSKILL.md

480	const secretKey = process.env.STRIPE_SECRET_KEY;

low line 561

Access to .env file

SourceSKILL.md

561	const secretKey = process.env.STRIPE_SECRET_KEY;

low line 567

Access to .env file

SourceSKILL.md

567	const webhookSecret = process.env.STRIPE_WEBHOOK_SECRET;

low line 733

Access to .env file

SourceSKILL.md

733	const webhookSecret = process.env.LEMONSQUEEZY_WEBHOOK_SECRET;

low line 934

Access to .env file

SourceSKILL.md

934	path: ".env"

low line 978

Access to .env file

SourceSKILL.md

978	Use sandbox mode in .env:

low line 1051

Access to .env file

SourceSKILL.md

1051	process.env.NODE_ENV === 'production' &&

medium line 1131

Access to .env file

SourceSKILL.md

1131	- API keys in .env.example (not .env)

low line 1003

External URL reference

SourceSKILL.md

1003	const request = new NextRequest('http://localhost:3000/api/webhooks/stripe', {

low line 1055

External URL reference

SourceSKILL.md

1055	`https://${request.headers.get('host')}${request.nextUrl.pathname}`,

low line 1104

External URL reference

SourceSKILL.md

1104	"script-src 'self' 'unsafe-inline' https://js.stripe.com",

low line 1105

External URL reference

SourceSKILL.md

1105	"frame-src https://js.stripe.com",

low line 1106

External URL reference

SourceSKILL.md

1106	"connect-src 'self' https://api.stripe.com",

Scanned on Feb 28, 2026

View Security Dashboard

Install this skill with one command

/learn @mgd34msu/payment-integration

GitHub Stars 4

Rate this skill

Categorymarketing

UpdatedMarch 29, 2026

openclaw api growth-marketer product-marketer sales-engineer customer-success-manager business-development stripe marketing sales

mgd34msu/goodvibes-plugin