Huifu Pay Integration
AdvisoryAudited by Static analysis on May 8, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users may be relying on copied or repackaged payment documentation without a clear provenance trail.
The package has no declared upstream source or homepage, which matters for a payment-integration guide even though no executable code or install script is present.
Source: unknown; Homepage: none
Cross-check key implementation details, SDK versions, signing rules, and production procedures against Huifu’s official documentation before going live.
If real Huifu credentials are exposed or misused, someone could make signed payment, query, close, or refund requests as the merchant.
The integration guidance requires merchant identity values and RSA signing/verification keys for real API use; these are sensitive payment credentials.
`HUIFU_SYS_ID` ... `HUIFU_RSA_PRIVATE_KEY` ... `HUIFU_RSA_PUBLIC_KEY`
Use test credentials during development, keep private keys in a secrets manager, avoid pasting secrets into chat or logs, and rotate keys if exposure is suspected.
Copied code used with real credentials could affect real orders or funds, especially if test mode and human approval are not enforced.
The quickstart demonstrates live payment operations, including create, close, and refund calls, and the sample configuration defaults to production unless explicitly set otherwise.
`@Value("${huifu.mode:prod}")` ... `client.create(createReq)` ... `client.close(closeReq)` ... `client.refund(refundReq)`Explicitly configure test mode for development, require human approval before live create/close/refund operations, and add audit logging and rollback procedures around financial actions.
Incorrect webhook handling could allow spoofed or duplicated payment events to update order status incorrectly.
The skill covers external Huifu notify_url/Webhook flows carrying payment events; the cited guidance correctly warns to verify the raw request before trusting it.
Webhook 必须先对原始请求体验签,再 JSON 解析事件体。不要先反序列化后重新序列化
Use HTTPS, validate signatures exactly as documented, enforce idempotency on transaction IDs, and confirm final payment status with server-side query or verified asynchronous notification.