WeChat Pay Integration
WarnAudited by ClawScan on May 11, 2026.
Overview
This WeChat Pay assistant is purpose-aligned, but some included payment/refund examples are unsafe enough to need careful review before use.
Treat this as reference material, not production-ready code. Before using it, replace placeholder credentials with secret-managed values, implement real WeChat Pay callback signature verification, add authentication and approval checks around refunds, and test all payment flows in a sandbox or staging environment.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If copied into production, forged or invalid WeChat Pay callbacks could be treated as legitimate, potentially marking orders paid or refunds processed incorrectly.
The payment/refund webhook example accepts callback signatures without actually verifying them. In payment systems, webhook origin and signature verification are critical before updating order or refund state.
return true; // TODO: 实现真实验签
Do not use the stub verifier. Implement WeChat Pay platform certificate/public-key verification, reject invalid signatures before business logic, and test callback verification in a staging environment.
If copied as-is into a public backend, an attacker or unauthorized user could potentially trigger refunds or manipulate refund amounts.
The sample refund endpoint directly uses client-supplied request fields to initiate a real refund API call, without showing authentication, authorization, order ownership checks, amount validation, or approval controls.
router.post('/apply', async (req, res) => { const { outTradeNo, totalFee, refundFee, reason } = req.body; ... await refund.refund(outTradeNo, outRefundNo, totalFee, refundFee, reason, ...)Add authenticated admin/user authorization, server-side order lookup, amount and status validation, idempotency controls, audit logging, and explicit approval before calling the refund API.
Leaked merchant keys could allow unauthorized signing of WeChat Pay API requests or compromise payment operations.
The integration necessarily uses merchant signing keys and APIv3 credentials. This is purpose-aligned, but these credentials grant sensitive payment authority.
privateKey: fs.readFileSync('apiclient_key.pem', 'utf8'), // 从文件加载 ... apiV3Key: '0123456789abcdef0123456789abcdef'Use environment variables or a secret manager, avoid pasting real keys into the agent chat, never commit keys to source control, and rotate any credentials that may have been exposed.
Users who run the command as-is may install unnecessary third-party packages, increasing supply-chain exposure.
The setup snippet installs unpinned npm packages and includes `crypto` and `fs`, which are built-in Node modules and normally should not be installed from npm.
npm install axios crypto fs
Install only required external packages such as `axios`, pin versions where appropriate, and rely on Node's built-in `crypto` and `fs` modules.