skill-alipayplus-integration

v1.0.0

Alipay+ Payment Integration Assistant. Helps Acquirers and Mobile Service Providers quickly integrate Alipay+ payments, including customer-presented mode pay...

⭐ 0· 82·0 current·0 all-time

byLizzie@wypride

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for wypride/skill-alipayplus-integration.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "skill-alipayplus-integration" (wypride/skill-alipayplus-integration) from ClawHub.
Skill page: https://clawhub.ai/wypride/skill-alipayplus-integration
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install skill-alipayplus-integration

ClawHub CLI

Package manager switcher

npx clawhub@latest install skill-alipayplus-integration

Security Scan

Capability signals

CryptoRequires walletCan make purchasesRequires OAuth token

These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

Name/description match the included artifacts: config generation, signature testing, webhook debugging, and reconciliation — and the shipped scripts implement those tasks. However, package.json declares a bin entry (./scripts/install.js) and an install script that are not present in the file manifest, and the SKILL metadata declares no required environment variables even though the scripts expect several (SFTP_USER, SFTP_KEY, PARTICIPANT_ID, etc.).

Instruction Scope

SKILL.md instructs the agent to run the provided scripts (generate-config.sh, test-signature.sh, debug-notify.sh, reconciliation.sh). The scripts read/write files under $HOME/.openclaw/workspace and ~/.openclaw, expect SFTP keys, may print private key contents to stdout (test-signature.sh prints the generated private key), and debug-notify.sh can start ngrok to expose a local service and logs incoming requests to a local logfile. The SKILL.md did not declare or surface these file/credential operations explicitly, and some script behaviors (printing private keys, logging incoming webhook content) increase risk if run without review.

Install Mechanism

There is no install spec (instruction-only), which is lower risk, but package.json declares a bin ('alipayplus-install': './scripts/install.js') and an install npm script that refer to scripts/install.js which is missing from the manifest. That mismatch is an integrity/packaging concern — it may be an accidental omission or indicate incomplete/untested packaging.

Credentials

Skill metadata lists no required environment variables or primary credential, but the scripts use multiple environment variables and default paths (SFTP_USER, SFTP_HOST, SFTP_KEY, PARTICIPANT_ID, ENV, LOCAL_DIR, and workspace/private key paths). The scripts also default to user-home locations (e.g., $HOME/.openclaw/workspace, ~/.ssh/alipayplus_sftp) and may read files there. The absence of declared env requirements is an inconsistency; you should not provide production private keys or SFTP credentials until you confirm behavior.

✓

Persistence & Privilege

The skill is not 'always:true' and does not request platform-level persistent privileges. It is user-invocable and allows autonomous invocation (default), which is normal. The skill writes files into its own workspace under the user's home directory, which is expected for this type of tool but should be checked for sensitive data retention.

What to consider before installing

This skill appears to implement legitimate Alipay+ integration helpers, but review before running: 1) Do not run scripts blindly — inspect them line-by-line (they will generate files under $HOME/.openclaw/workspace and may output private keys). 2) The package.json references ./scripts/install.js which is missing; treat the package as incomplete until resolved. 3) The scripts expect environment variables and SSH key files (SFTP_USER, SFTP_KEY, PARTICIPANT_ID, etc.) that are not declared in the skill metadata — do not supply production credentials; use test/sandbox credentials first. 4) test-signature.sh prints private key material to the console and debug-notify.sh logs incoming webhook payloads; avoid pasting real production private keys into generated config files or leaving them readable on disk. 5) If you need to test webhooks, be cautious when using ngrok (it exposes a public URL); limit exposure and rotate any credentials used for testing. 6) Recommended mitigations: run in an isolated environment or VM, create dedicated test keys/accounts, set strict file permissions on any generated files, and remove generated keys/configs after testing. If you want, I can list the exact lines that print or store sensitive values and suggest minimal edits to make the scripts safer before you run them.

Like a lobster shell, security has layers — review code before you run it.

latestvk970awm5cqaafj1fm8e1x7hgh984f1py

82downloads

0stars

1versions

Updated 2w ago

v1.0.0

MIT-0

Alipay+ Payment Integration Assistant

⚠️ CONSTRAINTS - READ FIRST

Information Sources (Priority Order):

This SKILL.md - Core capabilities and flows
./references/api-reference.md - API endpoint list only
./references/flows.md - Flow diagrams (if exists)
Official docs via WebFetch - When details not in above files

DO NOT:

❌ Invent API parameters not in skill files or official docs
❌ Make up field names (e.g., paymentToken, paymentCodeType)
❌ Create fake request/response examples
❌ Assume flow details not documented here

WHEN UNSURE:

Check if info exists in skill files first
If not found, use WebFetch to get official docs
If still unclear, tell user "I need to check official docs" and fetch
Never guess - say "I don't have this info in my skill files"

CAPABILITY BOUNDARIES:

✅ Configuration generation (generate-config.sh)
✅ Signature testing (test-signature.sh)
✅ Webhook debugging (debug-notify.sh, ACQP only)
✅ Reconciliation file processing
❌ Detailed API parameters → Fetch from official docs
❌ Business logic advice → Refer to official docs

Usage Examples

This skill is triggered when users say:

"How to integrate with Alipay+"
"How to integrate with A+"
"Implement Alipay+ products"
"Implement A+ products"
"Alipay+"
"AlipayPlus"
"Acquirer integrates with Alipay+"
"Wallet integrates with Alipay+"

Not for:

Alipay
WechatPay
Wire transfer

⚠️ Role Clarification Required: Before starting integration, users must clarify their role:

Acquirer Service Provider (ACQP) - Payment service providers integrating with merchants
Mobile Payment Service Provider (MPP) - E-wallet providers integrating with Alipay+

Clarification Scripts

When user descriptions are ambiguous, use the following to clarify their scenario:

For ACQP (Acquirer Service Provider):

ACQP CPM (Customer-presented Mode)
- Scenario: User presents payment code, merchant scans with barcode scanner
- Suitable for: Convenience stores, shopping malls, restaurants, tourist attractions, etc.
ACQP MPM (Merchant-presented Mode) Order Code
- Scenario: Merchant generates dynamic QR code, user scans to pay
- Suitable for: Self-service ordering, convenience stores, vending machines, etc.
ACQP MPM (Merchant-presented Mode) Entry Code
- Scenario: Merchant displays static QR code, user scans and enters amount to pay
- Suitable for: Small individual merchant scenarios

For MPP (Mobile Payment Provider):

MPP CPM (Customer-presented Mode)
- Scenario: User opens wallet payment code page, wallet generates payment code
- Suitable for: Offline stores where merchants support barcode scanner payments
MPP MPM (Merchant-presented Mode) Order Code
- Scenario: User opens wallet scanner page, scans merchant's dynamic order code to pay
- Suitable for: Offline stores where merchants generate dynamic order codes
MPP MPM (Merchant-presented Mode) Entry Code
- Scenario: User opens wallet scanner page, scans merchant's static payment code and entry payment amount to pay
- Suitable for: Offline stores where merchants display static payment codes

Quick Start

# Generate configuration template
bash "$(dirname "$SKILL_DIR")/scripts/generate-config.sh"

# Signature verification test
bash "$(dirname "$SKILL_DIR")/scripts/test-signature.sh"

Capabilities

1. Configuration Generation

⚠️ SAFE TO USE: This uses generate-config.sh script which reads from skill files. No API parameter guessing needed.

Generate configuration templates for Alipay+ integration:

ACQP Config: PartnerId, ClientId, API keys, webhook URLs
MPP Config: PartnerId, ClientId, API keys, MPP endpoints
Environment: Sandbox vs Production settings

2. Signature Verification

⚠️ SAFE TO USE: This uses test-signature.sh script. Signature algorithm is documented in skill files.

Help debug signature issues:

Generate test signatures
Verify incoming request's signatures
Common signature errors and fixes

3. Webhook Debugging (for ACQP only)

⚠️ SAFE TO USE: Webhook format is defined in official notification docs. Use WebFetch if unsure about payload structure.

Assist with asynchronous notification setup:

Webhook endpoint requirements
Signature verification for webhooks
Retry logic and idempotency

4. Reconciliation Files

⚠️ CHECK DOCS FIRST: Reconciliation file format may change. Verify column definitions with official docs.

Process daily reconciliation files:

Parse settlement reports
Match transactions
Identify discrepancies

Integration Flows

⚠️ CHECK DOCS FIRST: The flows in flows.md file are high-level summaries. For detailed API parameters, request/response schemas, and error codes, use WebFetch to retrieve official docs:

ACQP CPM: https://docs.alipayplus.com/alipayplus/alipayplus/integration_user_mode_acq/accept_payment

ACQP MPM Order Code: https://docs.alipayplus.com/alipayplus/alipayplus/integration_merchant_mode_acq/accept_payment_order_code

ACQP MPM Entry Code: https://docs.alipayplus.com/alipayplus/alipayplus/integration_merchant_mode_acq/accept_payment_entry_code

MPP CPM: https://docs.alipayplus.com/alipayplus/alipayplus/integration_user_mode_mpp/accept_payments

MPP MPM Order Code: https://docs.alipayplus.com/alipayplus/alipayplus/integration_merchant_mode_mpp/accept_payments#imyfn

MPP MPM Entry Code: https://docs.alipayplus.com/alipayplus/alipayplus/integration_merchant_mode_mpp/accept_payments#xSovW

ACQP (Acquirer) Flow

Merchant onboarding
Payment initiation (CPM/MPM)
Payment notification
Settlement

MPP (Wallet) Flow

User authentication
Payment code generation/scan
Payment execution
MPP notifies Alipay+ payment final result

API References

Resources

⚠️ CHECK DOCS FIRST: Documentation for all Alipay+ payment products is provided via dynamic online links. Before integration, be sure to read the relevant product’s online documentation to obtain the latest API parameters and code samples.

Notes

For business inquiries, please contact the regional BD.
All links in this document point to Alipay+ online documentation, which is updated dynamically. Before coding, be sure to review the latest version.

Comments

Loading comments...