← Back to Skills Marketplace
Stripe Webhook Replay Lab
by
Daniel Lummis
· GitHub ↗
· v1.0.0
291
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install stripe-webhook-replay-lab
Description
Replay signed Stripe webhook payloads to a local or staging endpoint for idempotency and retry debugging.
Usage Guidance
This script does what it says: it signs a JSON payload with your Stripe webhook secret and posts it to the URL you provide. Before running: (1) Inspect the included script (you already have it) and confirm you are comfortable with it. (2) Do NOT use a production webhook secret or production customer data — prefer test secrets and local/staging endpoints. (3) Be careful what URL you set: the tool will send the payload to any URL, so don't point it at untrusted external endpoints (it could leak test data). (4) Note the registry metadata omission: the package did not declare required env vars; expect to set STRIPE_WEBHOOK_URL and STRIPE_WEBHOOK_SECRET when running. If you need higher assurance, run the script in an isolated environment or container and avoid supplying production secrets.
Capability Analysis
Type: OpenClaw Skill
Name: stripe-webhook-replay-lab
Version: 1.0.0
The skill is a utility for testing Stripe webhook idempotency by replaying signed JSON payloads to a user-specified endpoint. It correctly implements the Stripe signature scheme using openssl and curl, and uses python3 for safe JSON parsing and input validation. No evidence of data exfiltration, malicious execution, or unauthorized access was found in scripts/replay-stripe-webhook.sh or the accompanying documentation.
Capability Assessment
Purpose & Capability
The script and SKILL.md implement exactly what the name/description promise (generate Stripe-Signature headers and POST the event payload repeatedly). Required binaries are appropriate for the task. However, registry metadata lists no required environment variables while SKILL.md and the script require STRIPE_WEBHOOK_URL and STRIPE_WEBHOOK_SECRET; this mismatch is unexpected and should have been declared in the metadata.
Instruction Scope
Runtime instructions only load a JSON payload (from a file or env var), compute an HMAC signature with the provided webhook secret, and POST to the user-specified endpoint. The script writes temporary response output to /tmp/stripe-webhook-replay-response.$$ and otherwise does not contact any third-party services. There is no hidden exfiltration, but the tool will send whatever payload you provide (which may contain email/IDs) to whichever URL you set, so pointing it at an untrusted external endpoint could leak test data.
Install Mechanism
This is instruction-only with an included shell script; there is no install step and nothing is downloaded from the network. No archive extraction or remote installs are present.
Credentials
The script legitimately needs STRIPE_WEBHOOK_URL and STRIPE_WEBHOOK_SECRET (and optional env vars for payload, counts, timeouts). The registry metadata, however, declares no required env vars — and the skill package does not list STRIPE_WEBHOOK_SECRET as a primary credential. The SKILL.md uses environment variables not listed in the metadata, which can mislead users about what secrets they must provide. Aside from that mismatch, the number and scope of env vars requested are proportional to the functionality.
Persistence & Privilege
The skill does not request persistent privileges, does not set always:true, and does not modify other skills or system-wide config. It runs only when invoked.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install stripe-webhook-replay-lab - After installation, invoke the skill by name or use
/stripe-webhook-replay-lab - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of Stripe Webhook Replay Lab:
- Replay signed Stripe webhook payloads to a specified endpoint for idempotency and retry debugging.
- Supports loading event data from a JSON file or inline input.
- Generates valid Stripe-Signature headers with your webhook secret.
- Allows customizing replay count, delay, timeout, and accepted HTTP status codes.
- Prints per-attempt HTTP status, latency, and a pass/fail summary for debugging.
- Exits successfully only if all replay attempts meet the success criteria.
Metadata
Frequently Asked Questions
What is Stripe Webhook Replay Lab?
Replay signed Stripe webhook payloads to a local or staging endpoint for idempotency and retry debugging. It is an AI Agent Skill for Claude Code / OpenClaw, with 291 downloads so far.
How do I install Stripe Webhook Replay Lab?
Run "/install stripe-webhook-replay-lab" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Stripe Webhook Replay Lab free?
Yes, Stripe Webhook Replay Lab is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Stripe Webhook Replay Lab support?
Stripe Webhook Replay Lab is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Stripe Webhook Replay Lab?
It is built and maintained by Daniel Lummis (@daniellummis); the current version is v1.0.0.
More Skills