HONGKONG-PAYMENT-QFPAY
v1.0.0QFPay API is a comprehensive payment solution that offers various payment methods to meet the needs of different businesses. This skill provides complete API integration guidelines including environment configuration, request formats, signature generation, payment types, supported currencies, and status codes.
⭐ 0· 1.1k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name and description claim a QFPay API integration guide and the SKILL.md indeed contains request formats, signature rules, endpoints, and env var names. That content is consistent with a payment-integration documentation skill. However the skill metadata lists no required environment variables or a primary credential while the SKILL.md explicitly instructs users to export QFPAY_APPCODE and QFPAY_KEY (and optionally QFPAY_MCHID). This metadata/instruction mismatch is suspicious (likely an omission) and reduces transparency.
Instruction Scope
The SKILL.md stays within the expected scope of a payment API guide: environment endpoints, request/response formats, headers, signature generation, rate limits, and notify_url usage. It does not instruct the agent to read unrelated system files or arbitrary credentials beyond the documented QFPay vars. No broad or vague 'gather whatever context you need' instructions were found.
Install Mechanism
This is an instruction-only skill with no install spec and no code files. That minimizes install-time risk because nothing is downloaded or written to disk by the skill package itself.
Credentials
The SKILL.md directs users to set sensitive credentials (QFPAY_APPCODE, QFPAY_KEY, optionally QFPAY_MCHID and QFPAY_ENV). Those are reasonable and proportional for a payment integration, but the skill's declared requirements list zero environment variables and no primary credential. The inconsistency reduces transparency about what secrets the skill expects and how they will be used. Users should treat these env vars as secrets and confirm where/when they're submitted.
Persistence & Privilege
The skill does not request elevated presence: always:false, no install steps, and it does not claim to modify other skills or system-wide config. Autonomous invocation is allowed (platform default) but is not combined with other privilege red flags.
What to consider before installing
This skill looks like a documentation-only guide for QFPay (sandbox/test/prod endpoints, headers, signature rules), which is plausible. However: 1) SKILL.md asks you to export sensitive variables (QFPAY_APPCODE, QFPAY_KEY, QFPAY_MCHID) but the skill metadata declares none — treat that as an omission and a transparency concern. 2) Do not paste production keys into any third-party skill or into conversational inputs unless you trust the skill source. Prefer using sandbox credentials while testing. 3) Verify the skill's origin (homepage/source repository) before using in production; the package lists no homepage. 4) If you will have the agent perform real requests, configure secrets in a secure secret store (not in chat), validate signature generation locally or from trusted SDKs, and confirm notify_url endpoints are secured (validate incoming notifications). 5) If anything in SKILL.md is unclear (truncated snippets, missing code examples claimed in README), ask the publisher for full, canonical docs or use the official QFPay docs at sdk.qfapi.com before providing credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk978ve0n3w66415pjqrkrhmp7580zfty
License
MIT-0
Free to use, modify, and redistribute. No attribution required.