HONGKONG-PAYMENT-QFPAY

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only QFPay payment integration skill, with expected payment and credential guidance but no evidence of hidden execution or data misuse.

Use this only for QFPay integration. Start with sandbox or test credentials, keep QFPAY_KEY and merchant credentials out of source control, shared terminals, logs, and chat, and require explicit user approval before any production payment or refund.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 84% confidence
Finding: The README instructs users to export payment API credentials directly as shell environment variables but does not include any guidance about secure handling, such as avoiding shell history capture, process inspection exposure, accidental logging, or committing values into scripts. In a payment-integration skill, these secrets can authorize API calls and access merchant resources, so weak operational guidance increases the chance of credential leakage even though the document itself does not expose real secrets.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal