ClawHub

微信跨境支付接入Skill

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only WeChat Pay Global integration skill with payment-rule caveats, but no evidence of hidden code, credential theft, persistence, or destructive behavior.

Install only if you need a WeChat Pay Global reference assistant. Because it concerns regulated payment flows, verify current direct-connection eligibility, auto-debit consent and notification requirements, credential handling, and production API behavior against official WeChat Pay documentation or your Tencent/WeChat Pay contact before using the guidance operationally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The document presents contradictory hard rules about who may directly integrate: the opening states only Hong Kong merchants can directly connect, while later sections state both Hong Kong and the UK can use direct connection. In a payment-integration skill, contradictory eligibility guidance can cause users to choose an invalid onboarding path, misconfigure compliance-sensitive integrations, or waste significant effort with the wrong merchant model.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill includes very broad troubleshooting trigger language that can cause activation for generic error-reporting requests, even when the user did not explicitly ask for this specific WeChat Pay overseas institutional troubleshooting flow. That can misroute users into a payment-specific support path, increasing the chance of irrelevant guidance, unnecessary collection of operational details, or confusion in adjacent financial workflows.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal