ClawHub

skill-alipayplus-integration

Security checks across malware telemetry and agentic risk

Overview

This appears to be a genuine Alipay+ integration helper, but it handles payment credentials and transaction data with weak safety guardrails that users should review before use.

Install only if you need Alipay+ payment-integration help and are prepared to review scripts before running them. Use sandbox credentials first, do not paste or log real private keys or production webhook payloads, avoid ngrok for production traffic, restrict permissions on generated files, clean up reconciliation reports, and fix the SFTP host-key and signature-example issues before copying examples into production.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (14)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The Java SFTP example explicitly disables SSH host key verification with `session.setConfig("StrictHostKeyChecking", "no")`, which makes the client trust any server presenting a host key. In a payment reconciliation context, this enables man-in-the-middle interception or redirection to a rogue SFTP server, risking credential exposure and tampered financial files.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The guide consistently specifies Base64Url encoding for signatures, but the later Java example signs and verifies using plain Base64. Implementers who copy that sample can generate incompatible signatures or, worse, build ad hoc fallback logic that weakens verification behavior and breaks interoperability for payment request signing and webhook validation.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The FAQ instructs users to sort parameters and omit null parameters, which contradicts the documented canonical string format based on raw method, URI, timestamp, client ID, and compact JSON body. In payment-signature documentation, contradictory canonicalization rules are dangerous because they cause implementers to sign different byte sequences, leading to verification failures and potentially insecure workarounds such as disabling strict verification.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases include very broad terms such as `Alipay+`, `AlipayPlus`, and `How to integrate with Alipay+`, which can cause the skill to activate in contexts where the user did not intend to invoke it. Unintended invocation matters more here because the skill has access to `Bash`, `Write`, and `WebFetch`, increasing the chance that a mistaken routing could lead to external requests, file modifications, or execution of helper scripts.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The onboarding flow explicitly instructs users to fill configuration with private keys and webhook URLs and to run signature/webhook debugging steps, but it provides no warning about secret handling, redaction, secure storage, or the risk of exposing live transaction data in logs. In a payment-integration skill, this omission is more dangerous than generic documentation because users are likely to paste real credentials and inspect real notifications during troubleshooting, increasing the chance of credential leakage or sensitive payment-data exposure.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The reconciliation workflow covers downloading files from SFTP or a workspace and processing statements against local records, but it omits any warning that reconciliation files are highly sensitive financial records that may contain transaction identifiers, amounts, and merchant data. In this payment context, failing to mention access controls, encryption, retention, and safe report handling can lead to accidental disclosure or overly broad internal exposure.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The checklist directs implementers to integrate location-based functions such as getting the user's current region and checking supported regions, but it provides no guidance on consent, disclosure, data minimization, or secure handling of location data. In a payment/mobile wallet context, location is sensitive personal data, and omitting privacy safeguards can lead to unauthorized collection or regulatory noncompliance.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guide recommends exposing a local webhook endpoint via ngrok and replaying notifications, but it does not warn users about the risks of sending real payment/webhook traffic through third-party tunnels or test tooling. In a payment integration context, this can leak sensitive transaction data, signatures, headers, and internal callback behavior, and can also lead to accidental exposure of a developer workstation or non-production service to the public internet.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The local webhook server writes full inbound requests directly to a persistent log file under the user's home directory. Payment notifications commonly contain sensitive business or personal data, and the script does not warn the user, minimize logged fields, or protect the log file, creating unnecessary data exposure risk if the workstation or logs are accessed by others.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script starts ngrok to expose a local port to the public internet, which materially increases attack surface for the developer's local service. Although this is a debugging tool and the behavior is intentional, the lack of strong warning or safeguards may lead users to expose unauthenticated or sensitive local endpoints without understanding the risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script generates a JSON configuration file that includes credential fields and writes it into a predictable workspace location without an explicit pre-write warning, permission hardening, or safer secret-handling flow. Even though the private key value is a placeholder by default, this workflow encourages users to store real long-lived secrets in a plaintext config file later, which increases the risk of accidental exposure through backups, logs, repository commits, or other local users/processes.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script writes reconciliation artifacts and reports containing transaction and order data into a persistent workspace under the user's home directory without warning, retention controls, or access-hardening. In a payment-integration context, these files can contain sensitive business and transaction metadata, so leaving them on disk increases exposure to local compromise, accidental disclosure, backup leakage, or multi-user access on shared systems.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script prints the full private key material directly to the terminal after generation. Even in a testing tool, exposing secret key contents increases the risk of accidental disclosure through terminal scrollback, screen sharing, session logging, or copied output, which can compromise any environment where the key is reused.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The script writes decoded signature data to a fixed path in /tmp, which is a shared world-writable location. While the data here is not itself a secret private key, using a predictable temporary filename can enable symlink/race issues or unintended interference by other local users or processes on the same system.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal