Back to skill
Skillv1.0.5
ClawScan security
Huifu DouGong HostingPay Base · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 14, 2026, 10:25 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This skill is a documentation-only integration guide for the Huifu dg-java-sdk and its required config; the requested credentials and instructions align with the stated payment-integration purpose.
- Guidance
- This skill appears to be a coherent, documentation-only Huifu payment SDK integration guide. Before using it: (1) do not paste your production RSA private key into chat or public repos — use environment variables / secret stores as recommended; (2) when you install the referenced dg-java-sdk from Maven, verify the package coordinates and checksum from Huifu's official repository; (3) follow the doc's advice to use test credentials in dev and avoid logging sensitive keys; (4) verify the dependency huifu-dougong-pay-shared-base and the skill owner are legitimate if you will rely on their shared artifacts. If you need higher assurance, request the upstream source repository or signed release notes for the SDK and shared-base dependency.
Review Dimensions
- Purpose & Capability
- okName/description describe a payment-SDK base and the skill only declares the four Huifu config keys and references Java SDK initialization and protocol docs; those credentials and files are appropriate and expected for a payment SDK integration base.
- Instruction Scope
- okSKILL.md is documentation and sample code for SDK init, signing, and webhook handling. It instructs reading four config values via Spring @Value and using them to initialize the SDK — exactly what a real integration needs. It does not instruct reading unrelated files, exfiltrating data, or contacting unexpected endpoints; it warns not to log or hardcode keys.
- Install Mechanism
- okNo install spec or external downloads are present (instruction-only). SDK dependency is referenced as a Maven artifact (dg-java-sdk), which is a normal, low-risk install mechanism and is not pulled by the skill itself.
- Credentials
- okThe only required configuration items are HUIFU_PRODUCT_ID, HUIFU_SYS_ID, HUIFU_RSA_PRIVATE_KEY, and HUIFU_RSA_PUBLIC_KEY — all directly relevant and necessary for signing/verification in a payment integration. The skill does not request unrelated secrets or multiple unrelated service credentials.
- Persistence & Privilege
- okalways:false and no install hooks; the skill is documentation-only and does not request persistent agent privileges or modify other skill/system configurations.