Alipay

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This is a documentation-only Alipay merchant onboarding API reference with sensitive examples, but no executable code or hidden behavior.

Install only if you need Alipay merchant onboarding API reference material. Before using the examples with a real account, protect tokens and signatures, avoid logging merchant identity documents, require explicit approval for create/confirm/cancel/upload actions, and verify all Alipay callback signatures and replay protections before processing notifications.

SkillSpector (1)

By NVIDIA

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The notification receiver section documents an inbound callback interface with signed parameters but does not explicitly instruct implementers to verify the Alipay signature, validate app_id/msg_method, and reject invalid or replayed notifications before processing. Integrators may therefore accept forged callbacks, causing unauthorized state changes, false success/failure handling, or fraudulent merchant workflow actions.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal