微信支付委托代扣接入skill
PassAudited by ClawScan on May 11, 2026.
Overview
This is a coherent instruction-only WeChat Pay integration guide, but users should treat it carefully because it discusses real payment, refund, and merchant credential workflows.
This skill appears safe to install as an instruction-only reference, but treat it as guidance for real financial systems. Verify the publisher and official WeChat Pay docs, never share live merchant keys or certificate files with the agent, and require manual review and small-value testing before using generated or copied examples in production.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Guidance from this skill could be used to build or operate systems that charge customers or issue refunds.
The skill covers real payment lifecycle actions such as deductions, contract termination, refunds, and reconciliation. The behavior is purpose-aligned, but these workflows can affect money and account state if a user later implements or runs them.
覆盖周期扣款 / 先享后付场景下的纯签约、支付中签约、申请扣款、预扣费通知、解约、查询、退款、对账全链路
Use the examples as documentation, require human review before deploying, and test with approved small-value or test templates before production.
If a user exposes these keys or certificates in chat, code, or logs, their merchant account and payment operations could be compromised.
The documentation identifies sensitive merchant credentials and certificates needed for signing, refund, and V3 request flows. This is expected for the payment integration, and the artifacts do not show these secrets being collected, logged, or transmitted elsewhere.
**APIv2 密钥**(32 字符) ... **APIv3 密钥**(32 字节) ... **商户 API 证书**(`apiclient_cert.p12` / `apiclient_cert.pem` + `apiclient_key.pem`)
Do not paste real API keys, private keys, or certificate files into the agent conversation; store them in a secrets manager, environment variables, or approved key management system.
Users may have less assurance that the packaged guidance is maintained by the official provider or an audited source.
For a financial integration skill, absent source and homepage metadata limits independent provenance verification. The content itself is coherent and links to WeChat Pay documentation, so this is a provenance note rather than a malicious indicator.
Source: unknown; Homepage: none
Cross-check critical implementation details against official WeChat Pay documentation before production use.