ClawHub

小程序变现助手

Security checks across malware telemetry and agentic risk

Overview

This is a coherent instruction-only monetization guide; the main thing to watch is safe handling of WeChat Pay credentials and payment/refund code.

This skill appears safe to use as an educational guide. Before implementing its examples, protect WeChat Pay credentials, test with sandbox accounts, review all payment/refund paths, and make sure your mini-program complies with WeChat platform rules, privacy law, refund policies, and tax obligations.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI02: Tool Misuse and Exploitation
Low
What this means

If copied into a production backend, payment and refund code can affect real orders and funds.

Why it was flagged

This is a template for invoking the WeChat Pay refund API. It is purpose-aligned for a payment guide, but refund functionality can move money if implemented without proper authorization and review.

Skill content
async function refund(orderId, refundAmount, reason) { const result = await pay.refunds({ ... }) }
Recommendation

Use sandbox testing first, require authentication and authorization for payment/refund endpoints, add idempotency and audit logs, and keep human review for refunds or other financial changes.

#
ASI03: Identity and Privilege Abuse
Low
What this means

Leaked or mishandled merchant keys and certificates could allow unauthorized payment operations or account abuse.

Why it was flagged

The guide requires WeChat Pay merchant credentials and certificates for the user's own payment integration. This is expected for the stated purpose, and the example uses environment variables rather than hardcoding secrets.

Skill content
获取商户号(mch_id) ... 设置API密钥(32位) ... 下载支付证书 ... privateKey: fs.readFileSync('./certs/apiclient_key.pem') ... apiv3_private_key: process.env.WX_APIV3_KEY
Recommendation

Do not paste live payment keys or certificates into chat. Store them in a secret manager or protected environment variables, restrict file permissions, avoid committing certificates to Git, and rotate secrets if exposed.