ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

huifu-order-query

[后端项目使用]汇付托管交易订单查询接口技能。用于查询订单支付状态和详细信息。当用户提到订单查询、支付查询、/hfpay/queryorderinfo时触发。

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 85 · 0 current installs · 0 all-time installs
by@yangyubin1
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description and the instructions consistently describe a Huifu (汇付) order query helper using the dg-java-sdk. Requesting the sdk dependency and showing API path/parameters is coherent with the stated purpose. However, the skill does not declare the practical runtime needs (merchant credentials / config) that the SDK and MerConfig will require.
Instruction Scope
The SKILL.md stays focused on implementing the query endpoint and only asks the developer to check pom.xml, add the dg-java-sdk dependency, run Maven, import SDK classes, and call the Huifu API. It does not instruct reading unrelated system files or exfiltrating data. It does, however, leave out any guidance about handling the merchant credentials/keys that MerConfig will need, which is an important omission.
Install Mechanism
This is an instruction-only skill with no install spec or supplied code files, so nothing will be downloaded or written by the skill itself. That is the lowest install risk.
!
Credentials
requires.env is empty, yet the instructions refer to MerConfig and merchant parameters (huifuId) — in practice the SDK needs merchant credentials, keys, and endpoint configuration. The skill does not declare any environment variables or configuration paths for secrets (merchant ID, API keys, private keys, certs), which is disproportionate or incomplete.
Persistence & Privilege
always is false and there is no install behavior or claims of modifying other skills or system-wide settings. The skill does not request persistent privileges.
What to consider before installing
This skill appears to be a straightforward instruction for adding a Huifu order-query implementation, but it omits two practical (and security-relevant) items: 1) it tells you to run Maven (mvn) yet the skill metadata lists no required binaries — confirm your environment has Maven installed before relying on these instructions; 2) it never specifies how to provide merchant credentials or keys (MerConfig), though the SDK will need them — verify where your project stores those secrets (environment variables, config files, keystore) and ensure they are handled securely. Additional checks before installing/using: confirm the dg-java-sdk version and its source, validate the Huifu API endpoints you will call, review any MerConfig initialization code to ensure secrets are not logged or uploaded elsewhere, and prefer testing in a dev environment. If the publisher supplies a homepage, repository, or explicit env vars for merchant credentials, and the skill metadata is updated to declare mvn as a required binary and the credential names, this assessment could move to benign.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.6
Download zip
latestvk97832qzqm0hyfqwkwmhhysmj182t99q

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

汇付订单查询接口

引导词

当开发者提到以下关键词时,本技能将被触发:

  • 订单查询、支付查询、查询订单
  • /hfpay/queryorderinfo
  • 汇付订单状态、支付状态查询
  • 托管支付查询

前置检查(重要)

在开始编写代码之前,必须先检查项目是否已安装汇付SDK依赖。

步骤1:检查依赖

检查项目的 pom.xml 文件中是否包含 dg-java-sdk 依赖:

<dependency>
    <groupId>com.huifu.bspay.sdk</groupId>
    <artifactId>dg-java-sdk</artifactId>
    <version>${dg-java-sdk.version}</version>
</dependency>

步骤2:安装依赖(如未安装)

如果项目中没有该依赖,需要先在 pom.xml 中添加上述依赖,然后执行 Maven 安装:

mvn clean install

或在 IDE 中刷新 Maven 项目。

步骤3:验证依赖

确认以下类可以正常导入:

  • com.huifu.bspay.sdk.opps.core.BasePay
  • com.huifu.bspay.sdk.opps.core.config.MerConfig
  • com.huifu.bspay.sdk.opps.core.net.BasePayRequest
  • com.huifu.bspay.sdk.opps.core.utils.DateTools
  • com.huifu.bspay.sdk.opps.core.utils.SequenceTools

只有完成以上前置检查后,才能继续按照 reference 目录中的示例代码进行开发。

接口说明

属性
接口路径/hfpay/queryorderinfo
请求方式POST
Content-Typeapplication/json
汇付API端点v2/trade/hosting/payment/queryorderinfo

功能说明

查询订单支付状态和详细信息,包括交易状态、金额、时间等。

请求参数

参数名类型必填说明
huifuIdString商户号
org_req_dateString原交易请求日期(格式:yyyyMMdd)
org_req_seq_idString原交易请求流水号

实现步骤

  1. 初始化商户配置(MerConfig)
  2. 组装请求参数(包含原交易信息)
  3. 调用汇付API
  4. 返回结果

注意事项

  1. 需要传入原交易的请求日期和请求流水号
  2. 可用于确认支付状态后再进行业务处理
  3. 建议在异步通知处理时同步调用查询接口进行二次确认

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…