爽文模拟器V1.0虾舍出品
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: shuangwen-simulator-v1 Version: 1.1.1 The skill functions as a commercial launcher for interactive fiction, facilitating Alipay payments and the programmatic installation of additional skill packages via MCP tools (SKILL.md, references/alipay-paid-access.md). While these behaviors are aligned with the stated purpose of a 'paid launcher,' the capabilities to initiate financial transactions and install external code represent high-risk functionalities. The skill relies on external fulfillment endpoints (XIASHE_SKILL_PACKAGE_BASE_URL) to provide signed URLs for installation, which is a significant attack surface, although no evidence of intentional malice or data exfiltration was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may create a payment order for the selected scenario after user confirmation.
The skill can ask connected payment tooling to create a real order, which is central to the paid-launcher purpose but has financial impact.
If an Alipay merchant-order MCP/tool is available, call it to create a 9.9 CNY order for the selected scenario.
Confirm the scenario name, price, and merchant/payment tool before approving any payment.
A connected payment skill or MCP may handle wallet authorization and payment status for this purchase.
Wallet authorization and payment status require trusted account/payment privileges, but the artifact directs that these be handled by the Alipay payment skill rather than embedded in this launcher.
Let the Alipay payment skill handle wallet authorization, payment submission, and payment status query.
Use only trusted payment integrations and avoid pasting wallet credentials or payment tokens directly into chat.
After payment, a separate paid skill package may be installed or offered from an external fulfillment source.
The launcher may install or return a downstream paid skill package that is not included in the provided artifacts, making provenance and review of the fulfilled package important.
If the environment can install Skills directly, install it. If not, provide the exact package URL or slug returned by the MCP.
Verify the returned package name, publisher, URL or slug, and permissions before installing the paid skill.
Short-lived payment links or order identifiers may be shared between connected tools to complete payment.
Payment URLs and order/session details may be passed between merchant and payment tools; this is expected for the payment flow but should be treated as sensitive.
If a cashier URL is returned, pass the complete URL to the Alipay payment skill/MCP.
Do not share payment URLs publicly, and use trusted MCP/payment integrations with clear data boundaries.