ClawHub

Alipay

v1.0.0

Implement Alipay for web and mobile with signed request safety, gateway alignment, and production-ready payment operations.

1· 430·6 current·7 all-time
byIván@ivangdavila

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for ivangdavila/alipay.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Alipay" (ivangdavila/alipay) from ClawHub.
Skill page: https://clawhub.ai/ivangdavila/alipay
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required env vars: ALIPAY_APP_ID
Required binaries: curl, jq
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install ivangdavila/alipay

ClawHub CLI

Package manager switcher

npx clawhub@latest install alipay
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the content: this is a hands-on implementation and launch playbook for Alipay integrations. Required binaries (curl, jq) and env var (ALIPAY_APP_ID) are consistent with diagnostic and integration tasks; no unrelated cloud credentials or services are requested.
Instruction Scope
Instructions stay within payment integration scope: setting up a local ~/alipay workspace, following checklists, and using Alipay production/sandbox endpoints. Note: the skill directs the agent to create and write persistent files under ~/alipay (memory.md, validation-log.md, incidents.md); these files may contain sensitive metadata if the agent or user writes such data. The skill explicitly warns not to paste private keys into chat and not to store raw signed payloads.
Install Mechanism
No install spec or external downloads — instruction-only. This is low-risk because no archives or third-party packages are fetched or executed.
Credentials
Only ALIPAY_APP_ID is required in metadata. The playbooks reference merchant keys/certificates and PSP accounts as prerequisites but do not ask for them as required env vars or attempt to collect them in chat. The requested environment access is proportional.
Persistence & Privilege
always is false and the skill does not request elevated platform-wide privileges. It does instruct creating persistent files in the user's home directory (~/alipay) and sets restrictive file perms; users should be aware data will persist on disk and ensure proper protection (disk encryption, access controls).
Assessment
This skill is an offline instruction/playbook for implementing Alipay and appears coherent. Before installing: 1) Confirm you are comfortable with the agent creating ~/alipay files and review their contents after first use; those files can contain payment metadata (avoid storing private keys or raw signed payloads). 2) Keep private keys and PSP secrets out of chat — the skill explicitly forbids pasting them. 3) Ensure curl and jq come from system package managers you trust. 4) If you expect the skill to perform live API calls, ensure the agent will use sandbox endpoints for testing; verify any production requests are intentional. 5) If you want to restrict persistence or network access, run the agent in a constrained environment (limited filesystem or network) or inspect the agent's actions during initial runs.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

💴 Clawdis
OSmacOS · Linux · Windows
Binscurl, jq
EnvALIPAY_APP_ID
latestvk976jmh7fjfdekd0vghn9d9fq982838s
430downloads
1stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
macOS, Linux, Windows
Iván@ivangdavila
latest
Download

Setup

On first use, read setup.md and confirm platform, PSP, and release target before making code changes.

When to Use

User needs Alipay in checkout, subscriptions, or cross-border wallet flows. Agent handles architecture decisions, signing strategy, gateway integration, rollout validation, and post-launch operations.

Architecture

Memory lives in ~/alipay/. See memory-template.md for setup and status fields.

~/alipay/
|-- memory.md                 # Project snapshot, risk status, and rollout state
|-- implementations.md        # Selected approach and platform notes
|-- validation-log.md         # Test evidence and environment results
`-- incidents.md              # Failed payments, root causes, and fixes

Quick Reference

Use the smallest relevant file for the current task.

TopicFile
Setup flowsetup.md
Memory templatememory-template.md
Implementation planimplementation-playbook.md
Validation matrixvalidation-checklist.md
Failure recoveryfailure-handling.md
Release and operationslaunch-playbook.md
Recurring and subscription flowsrecurring-payments.md

Requirements

  • Environment variable: ALIPAY_APP_ID
  • CLI tools for diagnostics: curl, jq
  • Access to Alipay merchant console and target PSP account

Never ask users to paste private keys, full signed payloads, or PSP secrets into chat.

Data Storage

Local notes stay under ~/alipay/:

  • memory file for current state and integration decisions
  • validation log file for test outcomes and evidence
  • incidents file for failure signatures and mitigations

Core Rules

1. Confirm Business Goal Before Choosing Integration Path

Start by identifying the target outcome:

  • Higher mobile checkout conversion
  • Faster repeat purchases
  • Lower payment friction for domestic and cross-border users
  • Fewer payment failures

Then choose one primary path:

  • Web or H5 checkout with Alipay gateway redirect flow
  • In-app checkout with Alipay SDK handoff
  • PSP-mediated integration path

Do not mix paths in one patch unless the user asks for a migration plan.

2. Require Merchant and Environment Prerequisites

Before implementation, confirm:

  • Alipay app id exists for the correct account
  • Gateway keys and certificates match the environment
  • Notify and return URLs are configured and reachable
  • Test and production credentials are separated

If prerequisites are missing, pause coding and produce a concrete prerequisite checklist.

3. Enforce Server Truth for Amounts and Currency

Amounts and currency must match across:

  • Client payment request payload
  • Server-side order totals
  • Alipay authorization and capture calls

Never trust client totals for final charge amount.

4. Make Signing and Callback Verification Explicit

Treat signing and verification as required controls:

  • Sign outgoing requests with the approved key strategy
  • Verify callback signatures before changing order state
  • Reject unsigned or invalid callbacks deterministically

Never mark a payment successful before signature checks pass.

5. Keep Payment Payload Handling Minimal and Auditable

Treat Alipay payloads as sensitive:

  • Forward payload only to backend or PSP
  • Persist metadata only (request id, status, amount, currency)
  • Never store raw signed payloads in logs, notes, or screenshots

6. Build Idempotent and Recoverable Payment Steps

Require idempotency and reconciliation for all critical calls:

  • Authorization request
  • Capture request
  • Refund or close operations

Every retried request must reuse stable idempotency keys to prevent duplicates.

7. Separate Test and Production Release Gates

Do not recommend production rollout until all gates pass:

  • Test success, decline, cancellation, and timeout paths are covered
  • Device and browser matrix is complete for supported audience
  • Fallback card or alternative checkout works when Alipay is unavailable
  • Failure observability and alerts are active

Common Traps

  • Shipping test gateway config to production -> live checkout failures
  • Skipping callback signature verification -> fraudulent or duplicated state transitions
  • Mismatching charset or signing parameters -> request rejection at gateway
  • Trusting client totals -> mismatch between authorized and captured amounts
  • Missing idempotency on retries -> duplicate charges and refund overhead
  • Launching without fallback checkout -> conversion loss when wallet is unavailable

External Endpoints

EndpointData SentPurpose
https://openapi.alipay.com/gateway.doSigned payment requests and metadataProduction Alipay gateway operations
https://openapi-sandbox.dl.alipaydev.com/gateway.doSigned payment requests and metadataSandbox validation and integration testing
https://global.alipay.comDocumentation and account console trafficMerchant setup and operational reference

No other data should be sent externally unless the selected PSP requires it.

Security & Privacy

Data that leaves your machine:

  • Alipay request payloads needed for wallet flow
  • Payment metadata and signed requests sent to configured PSP or backend

Data that stays local:

  • Integration notes and rollout state under ~/alipay/
  • Validation evidence and failure logs without raw signed payloads

This skill does NOT:

  • Store raw signed request payloads in memory files
  • Skip mandatory merchant and callback verification requirements
  • Enable production release without explicit readiness checks

Trust

Alipay integrations depend on Alipay infrastructure and the chosen PSP. Only install and run this skill if you trust those services and your payment backend.

Related Skills

Install with clawhub install <slug> if user confirms:

  • payments - General payment design and checkout decision frameworks
  • billing - Billing models, reconciliation, and payment lifecycle decisions
  • api - Reliable backend API contracts and failure-safe integrations
  • auth - Authentication and session hardening in transaction flows
  • android - Android checkout implementation and runtime troubleshooting patterns

Feedback

  • If useful: clawhub star alipay
  • Stay updated: clawhub sync

Comments

Loading comments...