Back to skill
Skillv1.0.13
VirusTotal security
jd-clawtip-payment-skill · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
BenignMar 30, 2026, 6:41 AM
- Hash
- c3661b936247bb599fcf7ba650d178974c76c31c7ac4536bad327fe8563a2da3
- Source
- palm
- Verdict
- benign
- Code Insight
- Type: OpenClaw Skill Name: jd-clawtip-payment-skill Version: 1.0.13 The skill bundle implements a payment transaction and token registration system for JD.com (Jingdong) services. It uses Python scripts (payment_process.py, check_register_status.py) to communicate with official JD Finance endpoints (ms.jr.jd.com) and utilizes a bundled Node.js cryptographic library (summer-cryptico-2.0.2.min.js) to perform SM2/SM4 encryption on sensitive payloads. While the skill stores a userToken in a local file (configs/config.bin) using base64 encoding—which is a security vulnerability—this behavior is explicitly disclosed in the SKILL.md documentation. The instructions for the AI agent to manage scheduled tasks for polling registration status are consistent with the functional requirements of a payment utility.
- External report
- View on VirusTotal