微信支付基础支付接入skill
v1.0.0微信支付基础支付解决方案,涵盖支付、退款账单、分账、商户进件、开户意愿确认,提供选型/代码示例/业务速查/质量评估/排障五大能力。Use when user mentions "JSAPI支付", "APP支付", "H5支付", "Native支付", "小程序支付", "付款码支付", "合单支付", "调起...
⭐ 0· 72·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (WeChat Pay basic integration) match the provided assets: SDK examples, integration guides, troubleshooting docs, and small CLI scripts to query orders/refunds. Nothing in the manifest asks for unrelated cloud credentials, system-level access, or capabilities that don't belong to a payments integration skill.
Instruction Scope
SKILL.md gives explicit, narrow runtime rules: confirm merchant/service-provider mode, only retrieve and display example code (do not write files), follow a consent-driven collection flow, and use a signature pattern where the user must create signatures on their own server (scripts require Base64 signature/timestamp/nonce but explicitly forbid supplying private keys). The instructions do not direct the agent to read arbitrary local files, exfiltrate secrets, or post data to unexpected endpoints; HTTP calls in scripts target api.mch.weixin.qq.com as expected.
Install Mechanism
There is no install spec (instruction-only skill). Files are bundled as examples and scripts; nothing downloads or extracts code at install time. This is the lower-risk model for a documentation / sample-code skill.
Credentials
The skill declares no required environment variables or primary credentials. Example code references merchant IDs, certificate serial numbers, private key file paths, and public-key IDs — all expected for WeChat Pay examples — but the skill does not request these as platform-level secrets. Scripts are designed to accept signed values rather than private keys, which is proportionate.
Persistence & Privilege
Flags are default: always=false, user-invocable=true, and model invocation not disabled. The skill does not request permanent presence nor attempt to modify other skills or system-wide settings.
Scan Findings in Context
[base64-block] expected: SKILL.md and scripts refer to Base64 signatures and explicitly require users to supply Base64 signature values; a 'base64-block' pattern match is expected for payment signature flows and is not, by itself, malicious.
Assessment
This package appears to be a coherent WeChat Pay integration helper (docs, many language examples, and small troubleshooting scripts). Before installing or running anything: 1) verify the package source (the manifest lists no homepage/source—prefer official or known vendor copies); 2) never share your private API key or certificate private key—the scripts properly ask for signatures generated on your server and for the public key ID, which is the correct pattern; 3) inspect any omitted files (165 files were truncated in the listing) for unexpected network endpoints or hardcoded secrets; 4) if you run the included scripts, pass only signed values (signature, timestamp, nonce) and run them from a trusted environment; and 5) if you need automated actions, prefer generating signatures server-side and avoid uploading private keys to third parties. If you want, I can scan the remaining truncated files for suspicious endpoints, hardcoded secrets, or unexpected behaviors.Like a lobster shell, security has layers — review code before you run it.
latestvk974yd36bereyq2c1dc3dy32rd845ew9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.