首页龙虾技能列表 › Stripe Webhook Replay Lab — 技能工具

Stripe Webhook Replay Lab — 技能工具

v1.0.0

Replay signed Stripe webhook payloads to a local or staging endpoint for idempotency and retry debugging.

0· 249·0 当前·0 累计
by @daniellummis (Daniel Lummis)·MIT-0
下载技能包
License
MIT-0
最后更新
2026/3/6
安全扫描
VirusTotal
无害
查看报告
OpenClaw
可疑
medium confidence
The skill's behavior (replaying signed Stripe webhooks) matches its description, but metadata and declared requirements are inconsistent and the runtime will accept a webhook secret and arbitrary target URL — review before using.
评估建议
This script does what it says: it signs a JSON payload with your Stripe webhook secret and posts it to the URL you provide. Before running: (1) Inspect the included script (you already have it) and confirm you are comfortable with it. (2) Do NOT use a production webhook secret or production customer data — prefer test secrets and local/staging endpoints. (3) Be careful what URL you set: the tool will send the payload to any URL, so don't point it at untrusted external endpoints (it could leak te...
详细分析 ▾
用途与能力
The script and SKILL.md implement exactly what the name/description promise (generate Stripe-Signature headers and POST the event payload repeatedly). Required binaries are appropriate for the task. However, registry metadata lists no required environment variables while SKILL.md and the script require STRIPE_WEBHOOK_URL and STRIPE_WEBHOOK_SECRET; this mismatch is unexpected and should have been declared in the metadata.
指令范围
Runtime instructions only load a JSON payload (from a file or env var), compute an HMAC signature with the provided webhook secret, and POST to the user-specified endpoint. The script writes temporary response output to /tmp/stripe-webhook-replay-response.$$ and otherwise does not contact any third-party services. There is no hidden exfiltration, but the tool will send whatever payload you provide (which may contain email/IDs) to whichever URL you set, so pointing it at an untrusted external endpoint could leak test data.
安装机制
This is instruction-only with an included shell script; there is no install step and nothing is downloaded from the network. No archive extraction or remote installs are present.
凭证需求
The script legitimately needs STRIPE_WEBHOOK_URL and STRIPE_WEBHOOK_SECRET (and optional env vars for payload, counts, timeouts). The registry metadata, however, declares no required env vars — and the skill package does not list STRIPE_WEBHOOK_SECRET as a primary credential. The SKILL.md uses environment variables not listed in the metadata, which can mislead users about what secrets they must provide. Aside from that mismatch, the number and scope of env vars requested are proportional to the functionality.
持久化与权限
The skill does not request persistent privileges, does not set always:true, and does not modify other skills or system-wide config. It runs only when invoked.
安全有层次,运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发,无需署名。

运行时依赖

无特殊依赖

版本

latestv1.0.02026/3/6

Initial release of Stripe Webhook Replay Lab: - Replay signed Stripe webhook payloads to a specified endpoint for idempotency and retry debugging. - Supports loading event data from a JSON file or inline input. - Generates valid Stripe-Signature headers with your webhook secret. - Allows customizing replay count, delay, timeout, and accepted HTTP status codes. - Prints per-attempt HTTP status, latency, and a pass/fail summary for debugging. - Exits successfully only if all replay attempts meet the success criteria.

● 无害

安装命令 点击复制

官方npx clawhub@latest install stripe-webhook-replay-lab
镜像加速npx clawhub@latest install stripe-webhook-replay-lab --registry https://cn.clawhub-mirror.com

技能文档

Use this skill to replay the same signed Stripe webhook event multiple times against your endpoint and validate idempotency behavior.

What this skill does

  • Loads a Stripe event payload from a JSON file or inline env var
  • Generates valid Stripe Stripe-Signature headers using your webhook secret (whsec_...)
  • Replays the exact same payload N times to simulate duplicate deliveries/retries
  • Prints per-attempt HTTP status and latency with a pass/fail summary

Inputs

Required:
  • STRIPE_WEBHOOK_URL (target endpoint)
  • STRIPE_WEBHOOK_SECRET (Stripe endpoint secret used to verify signatures)

Payload source (choose one):

  • STRIPE_EVENT_PATH (default: fixtures/sample-checkout-session-completed.json)
  • STRIPE_EVENT_JSON (inline JSON payload; overrides STRIPE_EVENT_PATH)

Optional:

  • REPLAY_COUNT (default: 2)
  • REPLAY_DELAY_SECONDS (default: 0)
  • REQUEST_TIMEOUT_SECONDS (default: 15)
  • ACCEPT_HTTP_CODES (comma-separated exact HTTP codes accepted as success; default empty = any 2xx)

Run

STRIPE_WEBHOOK_URL=http://localhost:8000/webhooks/stripe \
STRIPE_WEBHOOK_SECRET=whsec_test_123 \
bash scripts/replay-stripe-webhook.sh

Force five duplicate deliveries with a small delay:

STRIPE_WEBHOOK_URL=http://localhost:8000/webhooks/stripe \
STRIPE_WEBHOOK_SECRET=whsec_test_123 \
REPLAY_COUNT=5 \
REPLAY_DELAY_SECONDS=0.2 \
bash scripts/replay-stripe-webhook.sh

Use inline payload JSON:

STRIPE_WEBHOOK_URL=http://localhost:8000/webhooks/stripe \
STRIPE_WEBHOOK_SECRET=whsec_test_123 \
STRIPE_EVENT_JSON='{"id":"evt_test","type":"checkout.session.completed","object":"event","data":{"object":{"id":"cs_test"}}}' \
bash scripts/replay-stripe-webhook.sh

Output contract

  • Prints payload event id/type when available
  • Logs each replay attempt: status code + elapsed milliseconds
  • Exit 0 if all attempts pass success criteria
  • Exit 1 if any attempt fails or inputs are invalid
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制

免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制

了解定制服务