skill-alipayplus-integration

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed documentation helper for Alipay+ integration that fetches official docs and does not install code, persist data, or access credentials.

Install this only if you want your agent to make live requests to docs.alipayplus.com when answering Alipay+ integration questions. Avoid pasting private API keys, certificates, production credentials, or customer payment data into chat, and verify generated payment code against official docs and your own security review before deployment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The skill advertises very broad, ordinary-language trigger phrases such as 'How to integrate with Alipay+?' and similar requests that could easily appear in normal conversation. In agent environments with automatic skill routing, this can cause overbroad invocation, unintended activation, and unnecessary external documentation fetching, increasing the chance of prompt-scope confusion or data exposure through misrouting.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The trigger phrases include very broad terms such as "Alipay+" and "AlipayPlus", which can cause the skill to activate on ordinary mentions rather than an explicit request to use this payment-integration skill. In this skill's context, unintended activation is more risky because the skill is instructed to fetch remote documentation via curl, potentially causing unnecessary network access, misrouting user intent, and exposing users to guidance they did not request.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal