Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
ZL-ClawPay
v1.0.4Use when users need to query sub-wallet binding status, bind sub-wallet, generate QR code, check payment status, query balance or transaction history. Trigge...
⭐ 0· 155·0 current·0 all-time
byzlpay@kevindagege
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (wallet/payment operations) aligns with the code: many modules implement SM2/SM4 (GM) crypto, HMAC signing, secure client, wallet/payment services and HTTP/local interfaces. Requesting an app id and client private key + server public key is reasonable for a payment SDK. However, registry summary at the top of the report said "Required env vars: none" while the skill's SKILL.md and _meta.json clearly require ZLPAY_APP_ID and GM key material — this metadata mismatch is an incoherence to be aware of.
Instruction Scope
SKILL.md instructs the LLM to call the local CLI wrapper (scripts/skill.py) and to consult local reference docs; that is consistent with included CLI code. But SKILL.md also claims a "stateless design" (each call spawns a new process) while the code contains a StateStore, SessionManager and Memory classes and has state retention and cleanup logic — the skill appears to persist wallet IDs/state to disk. The doc mandates never showing credentials, yet the code logs request/response info (with masking filters). The existence of log files, a configurable log directory and a state file means sensitive data could be persisted if masking or configuration is misused.
Install Mechanism
There is no remote 'download-and-extract' installer; an included setup.sh creates a venv and pip-installs pinned packages in requirements.txt. Packages are standard PyPI libraries (requests, gmssl, cryptography, qrcode, etc.) — this is expected for crypto and QR functionality. The install script itself does not fetch code from arbitrary hosts, but it will install many third-party packages (moderate-risk: supply-chain considerations).
Credentials
The required environment variables declared in SKILL.md and _meta.json (ZLPAY_APP_ID, ZLPAY_GM_CLIENT_PRIVATE_KEY or path, ZLPAY_GM_SERVER_PUBLIC_KEY or path) are appropriate for a crypto-based payment skill. However: (1) the top-level registry metadata in this report incorrectly shows no required env vars — a mismatch; (2) the package includes a config/.env file in the bundle (config/.env), which may contain secrets or default keys shipped with the skill — shipping credential files packaged with a skill is a security concern and not justified by normal usage. The skill also uses optional ZLPAY_API_KEY and other envs; ensure only necessary secrets are provided and that any shipped .env is inspected/removed.
Persistence & Privilege
SKILL.md's 'stateless' claim conflicts with code that instantiates StateStore/SessionManager and a Memory component and has log retention and state retention configuration. The skill will write logs and state files (log_dir, state_file_path) locally; it is not marked always:true, but it does persist data on disk. If you expect no local persistence, this is an inconsistency to address. Also, while logging uses a filter to mask secrets, masked data may still be partially recorded and retention/rotation must be reviewed.
What to consider before installing
What to check before installing/using this skill:
1) Metadata mismatch: The report header shows no required env vars but SKILL.md/_meta.json require ZLPAY_APP_ID and GM key material — assume the skill needs those secrets. Do not pass keys until you audit the code.
2) Inspect config/.env: The package includes config/.env. Open it before installation; if it contains real keys or default credentials, remove or replace them. Never use credentials found inside a shipped .env without rotation.
3) Review Config for endpoints: Find scripts/zlpay_skill/config/config.py (or where SecureClient sets base URL). Confirm the backend host(s) the skill will contact. If endpoints point to unknown or external servers you don't control, treat it as high risk.
4) Local persistence: The code contains StateStore/Memory and logging with retention. If you need ephemeral operation, either run this skill in an isolated environment (container/VM) or modify the code/config to disable state/log retention or redirect to a secure path.
5) Confirm payment flow enforcement: SKILL.md requires explicit yes/no confirmation before payments. Verify the business methods actually enforce this (i.e., the CLI/library will not auto-execute payments when invoked by an agent). If the LLM can invoke the skill autonomously, ensure policy or operator approval is in place.
6) Secrets handling: The skill expects the client private key (sensitive). Prefer providing keys via secure secret manager or mounted files (paths) rather than embedding in environment on a shared machine. If you must put keys on disk, set strict filesystem permissions and consider hardware-backed keys.
7) Dependency review: The setup installs many third-party packages (cryptography, gmssl, sm-crypto). Verify you trust these package versions and consider using a vetted internal mirror or doing an SBOM/audit of dependencies.
8) Run in sandbox first: Execute the skill in an isolated environment, exercising non-sensitive operations (query binding, listing interfaces) and monitor network traffic to confirm it contacts only expected hosts and that no unexpected outbound data (e.g., entire .env contents) is transmitted.
If you want, provide the contents of scripts/zlpay_skill/config/config.py and core/secure_client.py (or the base URL and where public keys are fetched) and I can do a more precise review of network endpoints and any code paths that may exfiltrate data.Like a lobster shell, security has layers — review code before you run it.
latestvk97bgb9rayzayxdqcefn206r5984hrhb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.