Skillv1.0.0

ClawScan security

skill-alipayplus-integration · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 8, 2026, 1:24 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly matches its stated Alipay+ integration purpose, but there are several inconsistencies and privacy/safety concerns (undocumented env usage, a referenced but missing install script, and scripts that can expose keys or open network tunnels) that you should review before running.
Guidance: This skill appears to implement legitimate Alipay+ integration helpers, but review before running: 1) Do not run scripts blindly — inspect them line-by-line (they will generate files under $HOME/.openclaw/workspace and may output private keys). 2) The package.json references ./scripts/install.js which is missing; treat the package as incomplete until resolved. 3) The scripts expect environment variables and SSH key files (SFTP_USER, SFTP_KEY, PARTICIPANT_ID, etc.) that are not declared in the skill metadata — do not supply production credentials; use test/sandbox credentials first. 4) test-signature.sh prints private key material to the console and debug-notify.sh logs incoming webhook payloads; avoid pasting real production private keys into generated config files or leaving them readable on disk. 5) If you need to test webhooks, be cautious when using ngrok (it exposes a public URL); limit exposure and rotate any credentials used for testing. 6) Recommended mitigations: run in an isolated environment or VM, create dedicated test keys/accounts, set strict file permissions on any generated files, and remove generated keys/configs after testing. If you want, I can list the exact lines that print or store sensitive values and suggest minimal edits to make the scripts safer before you run them.

Review Dimensions

Purpose & Capability: noteName/description match the included artifacts: config generation, signature testing, webhook debugging, and reconciliation — and the shipped scripts implement those tasks. However, package.json declares a bin entry (./scripts/install.js) and an install script that are not present in the file manifest, and the SKILL metadata declares no required environment variables even though the scripts expect several (SFTP_USER, SFTP_KEY, PARTICIPANT_ID, etc.).
Instruction Scope: concernSKILL.md instructs the agent to run the provided scripts (generate-config.sh, test-signature.sh, debug-notify.sh, reconciliation.sh). The scripts read/write files under $HOME/.openclaw/workspace and ~/.openclaw, expect SFTP keys, may print private key contents to stdout (test-signature.sh prints the generated private key), and debug-notify.sh can start ngrok to expose a local service and logs incoming requests to a local logfile. The SKILL.md did not declare or surface these file/credential operations explicitly, and some script behaviors (printing private keys, logging incoming webhook content) increase risk if run without review.
Install Mechanism: concernThere is no install spec (instruction-only), which is lower risk, but package.json declares a bin ('alipayplus-install': './scripts/install.js') and an install npm script that refer to scripts/install.js which is missing from the manifest. That mismatch is an integrity/packaging concern — it may be an accidental omission or indicate incomplete/untested packaging.
Credentials: concernSkill metadata lists no required environment variables or primary credential, but the scripts use multiple environment variables and default paths (SFTP_USER, SFTP_HOST, SFTP_KEY, PARTICIPANT_ID, ENV, LOCAL_DIR, and workspace/private key paths). The scripts also default to user-home locations (e.g., $HOME/.openclaw/workspace, ~/.ssh/alipayplus_sftp) and may read files there. The absence of declared env requirements is an inconsistency; you should not provide production private keys or SFTP credentials until you confirm behavior.
Persistence & Privilege: okThe skill is not 'always:true' and does not request platform-level persistent privileges. It is user-invocable and allows autonomous invocation (default), which is normal. The skill writes files into its own workspace under the user's home directory, which is expected for this type of tool but should be checked for sensitive data retention.