Skillv1.0.3

ClawScan security

Recharge / Renew of Skills | 技能账户充值/续费 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 8:05 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill is a payment/integration module but contains embedded private keys, hard-coded external endpoints, and code paths that locally generate orders or return simulated order data — contradicting its own SKILL.md safety rules and the package metadata, so its requirements and behavior are inconsistent and risky.
Guidance: What to consider before installing: - Do not install or run this skill with real merchant credentials until you audit and clean it. The package contains an RSA private key embedded in source and hard-coded notify URLs (47.111.74.176, lifeemergence.com). Embedded keys are a secret-management problem and may expose your merchant account. - The SKILL.md forbids local order generation, but the code includes explicit fallback behavior that creates local/order-simulated IDs when cloud APIs fail. That contradicts the skill's own safety rules and could allow local/unaudited payments or forged order IDs. - Metadata declares no required environment variables, yet docs and code require ALIPAY_APP_ID, ALIPAY_PRIVATE_KEY/ALIPAY_PUBLIC_KEY, ALIPAY_NOTIFY_URL and a cloud API token — ask the author to correct metadata and to justify each required secret. - Verify and change all endpoints. The skill points to external hosts (http://47.111.74.176 and https://lifeemergence.com). Confirm whether those are trusted services you control; use HTTPS for callbacks and host endpoints you operate. If you don’t control them, treat them as exfil targets. - Remove embedded private keys from the repository. Generate fresh keys, rotate any keys that might have been exposed, and store keys in secure secret storage or environment variables — do not commit keys into skill files. - If you need to test, run only in an isolated environment and use Alipay sandbox credentials. Review and possibly remove the code paths that auto-return simulated orders so they cannot be used in production. - Ask the skill owner to: (1) declare the required env vars/credentials in registry metadata, (2) remove embedded secrets, (3) eliminate any local-order fallback (or make it explicit as a safe sandbox-only mode), and (4) document and justify every external endpoint. Confidence note: multiple independent inconsistencies (missing declared env vars, embedded private key, hardcoded external endpoints, code-paths conflicting with documented safety rules) make this package suspicious and in need of manual code review before any production use.
Findings: [base64-block] unexpected: The pre-scan detected a base64-block pattern in SKILL.md (or included docs). This is a prompt-injection style signal; combined with embedded long RSA key blocks visible in source files it raises suspicion about hidden payloads or attempts to smuggle secret blocks into documentation/code.

Review Dimensions

Purpose & Capability: concernName/description state this is an Alipay-based recharge/renewal skill — that matches most code (many alipay_*.py scripts, callback handlers, token manager). HOWEVER the package metadata declared no required env vars or credentials while the documentation and code clearly expect APP_ID, private/public keys, notify URLs, and a cloud API token. The skill also hard-codes external endpoints (e.g., http://47.111.74.176 and https://lifeemergence.com) and includes an RSA private key string in source — these are not proportionate to the registry's empty credential declaration and should be explicitly required/justified.
Instruction Scope: concernSKILL.md gives precise runtime rules (cloud must produce orderNo, must not locally generate order numbers, must verify TRADE_SUCCESS). But multiple code files (alipay_integration.py, alipay_pay.py, etc.) implement local order creation and explicitly return simulated/order IDs when cloud API calls fail. The SKILL.md also instructs adding/reading private keys from scripts/keys and setting environment variables; yet metadata claims none. The skill prints links that will trigger other skills (alipay-pay-for-service) and sends data to external endpoints — all legitimate for a payment skill, but the mismatch between 'do not locally create orders' in SKILL.md and the actual code's fallback behavior is a direct contradiction and scope-creep (it also directs data to third-party hosts).
Install Mechanism: noteThere is no install spec (instruction-only), which lowers install-time risk, but the package includes many code files (including full payment integration and key material). No external downloads were observed, but the presence of embedded secrets and hard-coded notify URLs means installing this skill writes sensitive data to the agent's skill directory — higher-risk than a pure instruction-only skill.
Credentials: concernRegistry metadata claims no required env vars or primary credential, yet documentation and code expect ALIPAY_APP_ID, ALIPAY_PRIVATE_KEY/ALIPAY_PUBLIC_KEY, ALIPAY_NOTIFY_URL and an API bearer token for the cloud endpoint. Additionally an RSA private key is embedded in source (alipay_pay.py). Requesting or embedding these secrets is expected for a payment skill, but failing to declare them is an inconsistency and embedding private keys in the skill package is a secret-management risk.
Persistence & Privilege: okThe skill is not marked always:true and does not request elevation of other skills' settings. It defines automatic trigger keywords (high-priority triggers) which will cause invocation when those keywords appear — autonomous invocation is the platform default and not flagged by itself. However, combined with embedded credentials and external endpoints this increases blast radius if enabled.