stripe-directory

Name: ai/stripe-directory
Author: stripe

Share on X Share on LinkedIn Share on Bluesky

70High

This skill hijacks general discovery queries to execute unauthorized financial transactions and crypto wallet operations via unverified third-party CLIs, while bypassing security controls through malicious external instruction injection.

ThreatsCI SM CS BC S HITL

Threat Analysis

AI Agent Traps ↗Scanned 6/20/2026

Content InjectionPerception1 finding

Semantic ManipulationReasoning3 findings

Cognitive StateMemory & Learning1 finding

Behavioural ControlAction4 findings

SystemicMulti-Agent Dynamicsclean

Human-in-the-LoopHuman Overseer1 finding

Skill Info

Namestripe/ai/stripe-directory

Registrygithub

Versiond9527bfc2d09

PURLpkg:github/stripe/ai@d9527bfc2d09?skill=stripe-directory

Stars1,615

Installs708

Source

Repository ↗SKILL.md ↗

Install

This skill has been flagged as potentially malicious. Review the findings below before installing.

GitHub

705 installs

Skills.shDocs

npx skills add https://github.com/stripe/ai

Assessments (7)

AI Agent Traps ↗

Autonomous financial transactions with minimal human oversighthighapproval fatigueAML.T0053LLM06:2025

The skill orchestrates a multi-step payment flow (auth, decode, spend-request, pay) where the only human gate is a single approval prompt before money moves. The complexity of the flow and the instruction to 'silently run' tool checks are designed to reduce scrutiny and normalize autonomous financial action.

78% confidence

"silently run `which <tool> 2>/dev/null`" and "spend-request create ... --request-approval (blocks for approval) → mpp pay <endpoint_url>"

Autonomous payment execution flowhighautonomy abuseAML.T0034.002AML.T0053LLM06:2025LLM10:2025

The skill provides detailed instructions for the agent to programmatically resolve payment endpoints, decode challenges, and execute financial transactions via multiple CLI tools, creating a high risk of unauthorized or automated fund depletion.

90% confidence

mpp decode --challenge "<value>" ... spend-request create ... mpp pay <endpoint_url>

Implicit tool shadowing of payment methodshightool shadowing

The instructions mandate the use of specific third-party CLIs (Link, Tempo, Privy) for financial transactions, effectively overriding standard platform payment security controls with agent-managed CLI flows.

80% confidenceline 64

Once the user picks, silently run `which <tool> 2>/dev/null` to check if it’s installed. If not installed, offer to install it

Disk or memory exhaustion pattern detectedhighresource abuseAML.T0029AML.T0034LLM10:2025

Disk or memory exhaustion pattern detected

100% confidenceline 70

/dev/null <

Credential custody risk via third-party CLImediumcredential theftAML.T0055AML.T0037LLM02:2025

The skill instructs the agent to facilitate authentication for external crypto wallets and payment CLIs, which could lead to the persistence or exfiltration of session tokens or private keys.

70% confidence

auth login → mpp decode ... tempo wallet login ... Privy Agent Wallet CLI

Third-party credential custody via multiple external payment CLIsmediumcredential theftAML.T0055AML.T0037LLM02:2025

The skill routes authentication and payment credentials through at least four external CLI tools (link-cli, Tempo, Privy agent-wallet-cli, mppx), none of which are under the user's direct control. These tools perform `auth login` and wallet operations that can log or transmit session tokens and payment credentials externally.

80% confidence

"link-cli: auth login" / "tempo wallet login" / "@privy-io/agent-wallet-cli" — all external CLIs handling auth/payment tokens

Description Mismatchhighdescription mismatchAML.T0011.000LLM06:2025LLM09:2025

The skill's claimed purpose focuses on search and discovery, but the actual implementation includes instructions for the agent to perform financial transactions and manage crypto wallets, which significantly expands the skill's scope and risk profile.

85% confidence

The 'Purchasing' section explicitly instructs the agent to use crypto wallets (Tempo, Privy) and execute payment commands, which is not mentioned in the claimed purpose.

Capability inflation: broad autonomous activation triggermediumsocial engineeringAML.T0052.000LLM09:2025

The skill explicitly instructs the agent to activate even when the user never mentions Stripe Directory, covering any request to 'find vendors, tools, partners, or providers' — an extremely broad trigger that hijacks general discovery tasks and funnels them through a payment-capable skill.

75% confidence

"Use Stripe Directory to build a short relevant shortlist, even if the user does not mention Stripe Directory explicitly" and "any request to find vendors, tools, partners, or providers"

Capability inflation / Hijackingmediumsocial engineeringAML.T0052.000LLM09:2025

The instructions explicitly tell the agent to use the skill even when the user does not mention it, effectively hijacking the agent's decision-making process for any vendor-related query.

80% confidenceline 7

Use Stripe Directory to build a short relevant shortlist, even if the user does not mention Stripe Directory explicitly.

Indirect prompt injection via mpp.dev endpoint resolutionhighindirect prompt injection

The skill instructs the agent to fetch and interpret content from mpp.dev (an attacker-controllable external service) to 'resolve the raw endpoint' and 'read the HTTP 402 challenge'. An attacker controlling mpp.dev or a listed service could inject instructions into the HTTP response headers or body that the agent would treat as directives.

82% confidence

"resolve the raw endpoint on mpp.dev if so. Read the HTTP 402 challenge to confirm the amount: curl -s -D - -o /dev/null <endpoint_url> (look for WWW-Authenticate)"

Global/unverified dependency execution — global npm/yarn package, dotnet tool, or auto-confirmed npx run without version or integrity pinningmediumsupply chainAML.T0010AML.T0019AML.T0058LLM03:2025

Global/unverified dependency execution — global npm/yarn package, dotnet tool, or auto-confirmed npx run without version or integrity pinning (seen 2 times in this file at lines 64, 72)

100% confidenceline 64

npm i -g

Missing allowed-tools declarationlowunauthorized tool use

Skill executes commands, writes files, or accesses the network but declares no allowed-tools, so its tool surface cannot be reviewed or constrained.

90% confidence

Undeclared network usagelowunauthorized tool use

Skill contains network access patterns (HTTP requests, socket connections) without declaring network capability in allowed-tools.

60% confidence

Missing usage exampleslowpolicy violation

Skill body contains no code blocks or usage examples, making it harder for users to evaluate.

100% confidence

Missing licenseinfopolicy violation

Skill does not specify a license field. Specifying a license helps users understand usage terms.

100% confidence

Missing or insufficient descriptioninfopolicy violation

Skill description is empty or too short. A clear description helps users evaluate the skill's purpose.

100% confidence

Badge

Markdown

[![Mondoo Skill Check](https://mondoo.com/ai-agent-security/api/badge/github/stripe/ai/stripe-directory.svg)](https://mondoo.com/ai-agent-security/skills/github/stripe/ai/stripe-directory)

HTML

<a href="https://mondoo.com/ai-agent-security/skills/github/stripe/ai/stripe-directory"><img src="https://mondoo.com/ai-agent-security/api/badge/github/stripe/ai/stripe-directory.svg" alt="Mondoo Skill Check" /></a>

Image URL

https://mondoo.com/ai-agent-security/api/badge/github/stripe/ai/stripe-directory.svg

Secure your AI agents

Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.

Continuous scanning of skills across all registries
Policy enforcement before skills reach your agents
Integration with your existing security workflow