test-1-1
PassAudited by ClawScan on May 11, 2026.
Overview
This is a documentation-only WeChat Pay delegated-deduction guide; it covers high-impact payment flows, but the provided artifacts show no hidden code, install step, persistence, or automatic financial action.
Install only if you need WeChat Pay委托代扣 integration guidance. Verify the skill's provenance and the linked official docs, never share real payment keys in chat, review any generated code manually, and require explicit business approval before running deduction, refund, or order-management calls.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user copies unreviewed generated payment code into production, it could affect real deductions, refunds, or order handling.
The skill can guide the agent to draft reference payment-integration code after user consent, but it also constrains this to official-document comparison and forbids writing directly into the project.
同意后用 WebFetch 当场打开对应官方接口 URL,对照报文样例逐字段构造业务代码「参考实现」... 严禁直接写入用户项目
Treat generated code as reference only; require engineering review, official-doc comparison, small-value testing, and separate approval before any live payment action.
Mishandled API keys or certificates could enable unauthorized payment requests, refunds, or access to transaction data.
The integration necessarily involves privileged WeChat Pay merchant or service-provider credentials, although the skill itself does not request or store them.
签约/扣款使用服务商号 + 服务商 APIv2 密钥
Do not paste real keys into chat; keep credentials in a secret manager, restrict access, and verify credential scope before implementing the examples.
Poorly secured callback endpoints or logs could expose identifiers or allow spoofed payment notifications.
The skill documents payment-result webhook flows whose payloads include user/payment identifiers and require signature verification.
协议版本:API V2(XML,**不加密**)... 商户系统对通知内容**一定要做签名验证**
Use HTTPS, verify signatures, check amounts, route by sub_mch_id, implement idempotency, and avoid logging sensitive callback fields unnecessarily.
A user could over-trust payment guidance without independently confirming the skill's provenance and freshness.
For a financial integration skill, the supplied registry metadata does not provide a verifiable source repository or homepage.
Source: unknown; Homepage: none
Verify the skill owner and compare any guidance against the linked official WeChat Pay documentation before using it for production payments.