ClawHub

alipay-authenticate-wallet

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Alipay wallet authorization skill, but it handles payment authorization and installs a local CLI, so users should install it deliberately.

Install only if you want the agent to manage Alipay AI payment authorization. Review the npm install prompt, understand that alipay-bot will remain on PATH, and treat bind or close-wallet requests carefully because they affect payment authorization.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The skill contains directly conflicting instructions: it repeatedly requires verbatim CLI output with no added text, but elsewhere mandates appending guidance text in specific cases. In an authorization and payment workflow, this ambiguity can cause the agent to either omit required safety guidance or violate strict output constraints, leading to user confusion, broken flows, or inconsistent handling of sensitive payment state.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The document says check-wallet must only be executed once per flow and forbids repetition, but later explicitly requires re-running check-wallet when invoked by another payment skill. In a stateful wallet authorization flow, contradictory execution rules can cause incorrect branching, duplicate state transitions, or failure to honor the latest authorization state, especially around payment gating.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill instructs the agent to install and then execute external npm package code (`npm install` and `npx ... install-cli`) on the host system, which materially expands the skill from wallet authorization into software installation and code execution. Even with a pinned version and integrity check, this creates a supply-chain and host-compromise risk because lifecycle scripts or the invoked CLI may run with the agent's privileges.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The skill metadata claims there is 'no security risk', while this file explicitly acknowledges that it installs and executes external code from npm. This contradiction is dangerous because it can lower operator vigilance, increase inappropriate trust, and make risky behavior appear routine or exempt from scrutiny.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The file creates a real policy conflict: it requires URLs/Markdown to be reproduced character-for-character while also requiring sensitive data to be filtered if it appears in output. In an edge case where a returned authorization URL or Markdown contains sensitive data, the agent cannot satisfy both requirements, which can lead either to leakage of sensitive information or broken authorization/payment flows. In a payment-wallet authorization skill, that ambiguity is more dangerous because outputs may directly affect account linking and user security.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill directs the agent to run a wallet-closing command immediately upon a user request to close or unbind, but does not require an explicit confirmation or warning that payment capability will be disabled. Because this affects a financial account linkage, a mistaken trigger, ambiguous phrasing, or social engineering could cause unintended service disruption for the user.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal