alipay-authenticate-wallet

This skill is internally consistent for enabling an Alipay wallet via a CLI tool, but review these points before installing or enabling it: - Verify provenance: the SKILL.md claims it's "official" and points to a GitHub homepage, but the provided skill source is listed as unknown. Confirm the GitHub repo and the @alipay/agent-payment package are authentic and maintained by Alipay before running npx install. - Be aware it runs shell commands (alipay-bot) and will perform network calls; ensure your environment is comfortable running that CLI. - The skill is designed to auto-run apply-wallet when check-wallet returns code=500 and explicitly forbids asking the user for a second confirmation. If you want human approval before provisioning actions, do not enable autonomous invocation or add an intervening confirmation step outside this skill. - The skill requires emitting CLI-returned URLs verbatim (these are time-limited signed links). Those URLs should be treated as sensitive while valid — they could grant access to an authorization flow for a short time; ensure only the intended user/channel can see them. - It expects access to inbound message metadata to determine the output channel and to post a temporary image from /tmp; confirm your agent runtime exposes such metadata and image-sending capability and that you consent to those data flows. - Because installation is via npx, inspect the package source and release artifacts before running npx to avoid installing an unexpected package. If you cannot verify the CLI/package source or you require interactive user confirmation before provisioning, treat this skill with caution or do not enable it.