Recharge / Renew of Skills | 技能账户充值/续费

Security checks across malware telemetry and agentic risk

Overview

This payment skill needs careful review because it bundles payment-signing credentials, conflicting payment flows, and unrelated data-processing capabilities.

Install only after the publisher removes embedded private keys, rotates any exposed Alipay credentials, removes the local/manual payment fallback, requires server-issued orders and verified callbacks, switches payment/account traffic to HTTPS, and separates unrelated health-analysis, file-upload, generic CRUD, token-storage, and agent-invocation code into clearly scoped skills.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (62)

os.system() or os exec-family call

High

Category: Dangerous Code Execution
Content: return { "success": True, "data": { "orderId": f"ORD{os.popen('date +%Y%m%d%H%M%S').read().strip()}", "amount": amount, "detail": detail, "cashierUrl": f"https://excashier.alipay.com/pc.htm?outTradeNo={phone}_{amount}",
Confidence: 94% confidence
Finding: "orderId": f"ORD{os.popen('date +%Y%m%d%H%M%S').read().strip()}",

os.system() or os exec-family call

High

Category: Dangerous Code Execution
Content: # TODO: 这里需要调用真实的云端 API 创建订单 # 现在使用模拟数据 order = { "orderId": f"ORD{os.popen('date +%Y%m%d%H%M%S').read().strip()}", "amount": amount, "uses": uses, "detail": detail,
Confidence: 95% confidence
Finding: "orderId": f"ORD{os.popen('date +%Y%m%d%H%M%S').read().strip()}",

subprocess module call

Medium

Category: Dangerous Code Execution
Content: try: # 执行命令 result = subprocess.run( cmd, capture_output=True, text=True,
Confidence: 90% confidence
Finding: result = subprocess.run( cmd, capture_output=True, text=True, timeout=timeout + 10 )

Lp3

Medium

Category: MCP Least Privilege
Confidence: 82% confidence
Finding: The skill advertises and documents capabilities that imply network, shell, file read/write, and environment access, but no declared permissions are present. This creates a governance and containment gap: an operator or platform may under-scope review while the skill still handles payment flows, tokens, scripts, and external calls.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: The documented behavior materially exceeds the stated payment purpose by referencing unrelated analysis/report APIs, file/URL upload processing, Flask demo endpoints, and token lifecycle management. Such scope creep is dangerous because it expands attack surface, may expose sensitive local or remote data, and makes it harder for users and defenders to understand what the skill can actually do.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The file first defines a strict security rule forbidding local order-number generation, then later instructs operators to generate local Alipay order numbers when the cloud API fails. In a payment workflow, contradictory instructions around transaction identifiers can cause bypass of reconciliation controls, broken auditability, and fraudulent or misattributed payments.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The skill explicitly claims cloud-order creation failure must terminate payment processing, yet elsewhere documents an alternate local payment path. This undermines the core trust boundary of the payment system and enables unverified payment initiation outside the intended backend control path.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The documentation states that cloud API failure must immediately terminate the process, but later tells the operator to continue with a backup scan-code payment flow. In payment handling, this kind of contradiction is especially risky because it normalizes bypass behavior during outage conditions, when fraud controls are already weakened.

Context-Inappropriate Capability

Medium

Confidence: 83% confidence
Finding: The guide instructs the skill to trigger another skill through a shell-based command rather than a constrained internal API. In a payment context, cross-skill invocation expands the trust boundary and can cause unintended actions, especially if the invoked message content is influenced by external data such as a cashier URL.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The document explicitly states that production callbacks must use HTTPS, yet the concrete notify and return URL examples use plain HTTP to a public IP address. In a payment flow, insecure callback transport can enable interception or tampering attempts, expose transaction metadata, and encourage operators to deploy a noncompliant production configuration.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: When the API call fails, the code silently returns success with mock order data and a fabricated Alipay cashier URL. In a payment skill, this is dangerous because it can mislead users into attempting payment against non-authoritative data, break transaction integrity, and create fraud, reconciliation, or support issues during outages.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The function accepts a caller-supplied amount and even documents that behavior, but the implementation always sends total_amount as 0.01 to Alipay. In a payment skill, this creates a direct integrity flaw: users or upstream systems may believe they are charging the requested amount while every transaction is actually initiated for a cent, enabling underpayment, accounting errors, and potential unauthorized service activation after a nominal payment.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: This payment-focused skill exposes generic add/edit/delete/page/list operations that are not aligned with the stated recharge, renewal, balance query, and payment workflow. In particular, carrying unrelated administrative CRUD capabilities in a payment service expands attack surface and may allow unauthorized data manipulation or access if the surrounding routing/permission model is weak.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: A delete method that accepts a camera identifier inside a payment service strongly suggests code reuse or endpoint confusion across domains. In a payment context, this kind of misplaced destructive operation is dangerous because it may permit deletion of unrelated resources through an unexpectedly exposed skill surface, indicating broken separation of duties and likely missing validation.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The script embeds a complete Alipay RSA private key directly in source code, which allows anyone with code access to sign requests as the merchant. In a payment skill, this is especially dangerous because compromise of the key can enable fraudulent payment operations, forged API calls, and long-term merchant impersonation well beyond simple order-status queries.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: Although a verify() helper exists, the code never verifies the signature on the Alipay response before trusting fields such as trade_status and total_amount. In a payment-confirmation workflow, trusting unsigned or unverified responses can let a tampered response falsely indicate payment success, leading to unauthorized account crediting or recharge fulfillment.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The script embeds a full Alipay RSA private key directly in source code, which is a real secret exposure vulnerability. Anyone with access to the code can extract the key and potentially sign requests as the merchant application, undermining payment integrity and enabling fraudulent API interactions; in a payment skill, this is especially dangerous because the key protects a live financial trust boundary.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The payment notification endpoint accepts unauthenticated callback data and immediately returns success without verifying the Alipay signature, validating transaction state, or checking the order amount and merchant identifiers. In a payment skill, this can let an attacker forge successful payment notifications, causing fraudulent balance top-ups, order completion, or inconsistent account state.

Description-Behavior Mismatch

High

Confidence: 94% confidence
Finding: The file configures endpoints for health/AI analysis and report export rather than the payment, recharge, balance, or order-management behavior declared in the skill manifest. This capability mismatch is dangerous because a payment-triggering skill could invoke unrelated sensitive services, causing unauthorized data flows, confusing reviews, and potentially exposing users to privacy-impacting analysis features outside the stated purpose.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The inline comment describes the file as a traditional Chinese medicine face-analysis configuration, which directly contradicts the declared payment skill purpose. Misleading documentation increases the risk that hidden or transplanted functionality passes review unnoticed, and in a payment-context skill this mismatch is especially suspicious because users and reviewers expect narrowly scoped financial operations.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The configuration explicitly adds health-analysis result pages and report-export capabilities that are not justified for a payment/recharge skill. In this context, unrelated export/report endpoints expand the reachable attack surface and could enable access to sensitive user data or backend functions under the cover of a benign payment workflow.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The script constructs an Alipay-looking cashier URL by concatenating local fields, but it does not create a signed order through an official Alipay API or trusted backend. In a payment skill, presenting such a fabricated URL as a 'real cashier link' can mislead operators or downstream agents into treating an unauthenticated payment session as legitimate, enabling spoofed payment flows or false assumptions about transaction validity.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The output claims the payment is in a sandbox and 'won't actually deduct funds,' but the code uses the production-looking excashier.alipay.com endpoint and no sandbox credentials or environment isolation. In a payment context, this mismatch is dangerous because users or other components may be induced to click or process a link under false safety assumptions, potentially causing unintended real-world payment attempts or trust in a fake checkout flow.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The script embeds a full RSA private key directly in source code and uses it to sign Alipay payment requests. Any party with access to the repository, logs, backups, or distributed skill package can extract the key and forge payment-related requests or impersonate the merchant integration, which is especially dangerous in a payment skill context.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The script unconditionally creates a real payment order using a hard-coded phone number and amount, bypassing any authenticated, user-driven recharge flow. In a payment skill, this is risky because anyone who runs the script can generate payment artifacts tied to a fixed account context, which can cause misbilling, accidental charging flows, test/production confusion, or unauthorized top-ups if connected to live payment credentials.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal