ClawHub

度小满支付技能

v1.0.7

度小满支付钱包 Skill,处理 SP 服务余额不足/未购买场景:根据调用方传入的结构化商品数据生成支付链接和二维码

0· 119·0 current·0 all-time
by度小满@duxiaoman·duplicate of @duxiaoman/dxm-wallet-agent
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill's name/description align with its code and SKILL.md: it generates payment QR codes for provided product data and enforces the dxmpay domain. Minor inconsistency: the registry metadata lists no required binaries, but the SKILL.md and scripts explicitly require Node.js (recommended v18+).
Instruction Scope
SKILL.md instructs the agent to invoke node scripts/qrcode.js with a structured JSON input. The runtime instructions and the script are scoped to validating the payUrl, generating a PNG QR to the OS tmpdir, and returning a base64 result; they do not instruct reading unrelated files or secrets. The doc also explicitly warns not to display the base64 qr field.
Install Mechanism
No install spec; this is an instruction-only skill with local JS files included (qrcode.min.js + qrcode.js). No network downloads or archive extraction during install — low install risk.
Credentials
The skill requests no environment variables or credentials. It does, however, make an optional outbound HTTPS POST to https://www.dxmpay.com/facilepaycenter/tinyurl/createurl when run with --short-url; SKILL.md documents this and requires payUrl to be https://www.dxmpay.com/. Users should only enable short-linking if they trust that domain.
Persistence & Privilege
The skill does not request persistent or elevated privileges, does not set always:true, and does not modify other skills or global agent settings. It writes temporary files only to the system tmpdir.
Assessment
Before installing: (1) be aware the skill runs a Node.js script (Node v18+ recommended) though the registry metadata doesn't list Node as a required binary — ensure host has Node available. (2) The short-link feature (--short-url) will make an outbound HTTPS POST to www.dxmpay.com; only enable it if you trust that domain. (3) The script writes PNGs to the system temporary directory (tmp) and returns a base64 data URL; the SKILL.md explicitly says not to display the base64 field, so calling skills should follow that. (4) Ensure the calling skill strictly validates payUrl (it must be https://www.dxmpay.com/...) as documented to avoid generating QR codes for unexpected domains. (5) If you want to avoid any external network call, run the skill without the --short-url option.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fg9g243vcr0ddw79mt273pd84vn1r

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments