HONGKONG-PAYMENT-QFPAY
ReviewAudited by ClawScan on May 10, 2026.
Overview
No hidden code or exfiltration is evident, but the skill documents live QFPay payment operations that require real merchant credentials.
Use this only if you intend to integrate with QFPay. Verify the source against official QFPay documentation, keep merchant credentials protected, start in sandbox/test mode, and require explicit approval before any production payment or refund action. The supplied SKILL.md excerpt was truncated, so review the full text if available before live use.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used with real merchant credentials, payment requests could create live payment activity or settlement-relevant records.
The skill explicitly documents a production payment endpoint where actions can affect real funds, which is purpose-aligned but high impact.
| Production | `https://openapi-hk.qfapi.com` | Real live payments with actual settlement |
Use sandbox/test first, require explicit user confirmation before production payments or refunds, and set transaction limits and audit logging.
Anyone or any agent with access to these values may be able to act against the merchant's QFPay account within the key's permissions.
These are merchant API credentials; they are expected for QFPay integration but are sensitive and the registry metadata declares no required env vars or primary credential.
export QFPAY_APPCODE="your_app_code_here"; export QFPAY_KEY="your_client_key_here"; export QFPAY_MCHID="your_merchant_id"
Store credentials in a secrets manager or protected environment variables, use least-privilege/test credentials where possible, and avoid pasting keys into chat or logs.
Outdated or unofficial payment instructions could cause failed transactions, incorrect signing, or unsafe operational choices.
The skill is instruction-only, so there is no code-provenance issue, but payment API documentation from an unknown source should be verified before live use.
Source: unknown; Homepage: none
Compare the guidance with official QFPay documentation and merchant support before using production credentials.
A user or agent might incorrectly adjust real transaction amounts or payment behavior to bypass safeguards.
The wording about avoiding risk control is ambiguous in a payment context and could be misread as advice to evade provider safeguards.
`txamt` ... Transaction amount in cents (100 = $1). Suggest > 200 to avoid risk control
Verify this guidance with official QFPay documentation and never change real charge amounts merely to avoid risk controls.