ClawHub

支付宝支付异步通知助手

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims for Alipay callback debugging, but it routes payment notification data through a third-party plain-HTTP relay and stores relay credentials locally.

Use only for sandbox or internal debugging. Do not send production Alipay callbacks or real customer/payment data through the default HTTP relay; prefer an HTTPS relay you control or trust. Add `.alipay-notify.json` and exported `notify_*.txt` files to `.gitignore`, delete them after testing, and avoid enabling `ack` or `--auto-ack` unless you explicitly want Alipay retries to stop.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger phrase “帮我接收支付宝异步通知” is broad and maps to a common user request, so an agent could invoke this skill automatically in ordinary payment-debugging conversations without the user explicitly consenting to use this third-party relay service. In this skill’s context, auto-invocation is more dangerous because using the skill causes registration against an external server and routes raw Alipay callback data through a cloud relay, creating unexpected data exposure and network side effects.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The skill states that configuration is automatically saved to `.alipay-notify.json` in the developer's current working directory without an explicit warning or consent step. Silent file creation/modification is risky because it can overwrite expected workspace state, leak configuration into source trees, or leave sensitive relay tokens in files the user did not realize were created.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill directs the agent to register with a hard-coded remote relay server over plain HTTP and send developer registration data there, with no meaningful privacy or transport-security warning. This is dangerous because payment notification data and relay credentials may traverse an unencrypted channel and be exposed to interception, tampering, or collection by the relay operator or a man-in-the-middle.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The skill tells the agent to directly edit `.alipay-notify.json` to add the Alipay public key but does not clearly warn that a local file will be modified. Although the key itself is public, unannounced file edits remain a security and integrity concern because they normalize silent workspace changes and may corrupt existing configuration.

Ssd 3

Medium
Confidence
91% confidence
Finding
The skill explicitly requires printing the complete raw payment notification body to the terminal. Even in a debugging context, raw payment callbacks can contain sensitive transaction identifiers, buyer metadata, and other user-provided values that may be exposed in terminal scrollback, logs, screen recordings, or shared sessions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal