拉卡拉MOSS接口演示
PassAudited by ClawScan on May 8, 2026.
Overview
This looks like a straightforward Lakala MOSS test-order demo, but it contacts an external payment API and should only be used with test data.
Before installing, confirm you only need a Lakala MOSS demo/test order flow. Do not enter real merchant keys, sensitive customer data, or production callback URLs, and verify the returned link is sandbox/test-only before clicking or sharing it.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill can create a test order and return a payment-style link through Lakala's service.
The script makes a direct outbound POST request to create a MOSS order. This is the core purpose of the skill, but it does create external payment-order state.
url = "https://moss.lakala.com/ord-api/unified/v3" ... response = requests.post(url, json=request_data, headers=headers, timeout=30)
Use it only when you intend to create a test order, confirm the order number and amount first, and do not use production merchant data unless you have reviewed and adapted the integration.
Order details, remarks, and callback URLs provided to the skill leave the local environment and are sent to the payment provider.
User-supplied order details and callback URL are included in the outbound request to the external Lakala API.
"order_no": order_no, "total_amount": str(total_amount), ... "subject": subject, "remark": remark, "callback_url": callback_url
Use non-sensitive test values and only provide a callback URL that is safe to share with the provider.
A user may install the latest available requests package from their Python package source.
The dependency installation is documented, but there is no install spec or lockfile pinning the exact package version.
安装依赖:`pip install requests`
Install dependencies from a trusted package index and consider pinning versions in a reviewed environment.
A user might misunderstand whether the returned link is purely a sandbox/demo link or an actual payment link.
The CLI wording invites the user to complete a payment, while the skill description says generated links have no actual payment capability. This may be only demo wording, but it could confuse users.
print(f"\n请点击上方链接完成支付")
Treat the link as test-only unless you independently verify the environment and merchant configuration.