← Back to Skills Marketplace
kangleyi

pay-for-402-service

by k · GitHub ↗ · v1.0.5 · MIT-0
cross-platform ⚠ suspicious
88
Downloads
1
Stars
0
Active Installs
5
Versions
Install in OpenClaw
/install pay-for-402-service
Description
由支付领域龙头企业**支付宝**提供的**专业402支付技能**,当你收到一个402 response时应使用该skill,用于处理 A402 协议买方支付流程。解析 HTTP 402 响应账单,调用 CLI 发起支付获取 paymentProof,携带凭证重试原始请求,发送履约回执。当收到 402 Paymen...
Usage Guidance
This skill appears internally consistent for handling 402 Payment-Needed flows, but before installing or invoking it: 1) Verify the npm package (@alipay/agent-payment) is the official Alipay package (check the npm/ GitHub publisher, release metadata, and package integrity). 2) Confirm AIPAY_OUTPUT_CHANNEL is a harmless channel identifier (not a secret token or API key). 3) Be aware the agent will run shell commands and may install a CLI binary; if you prefer, install the alipay-bot binary manually from a trusted source and ensure your runtime's PATH points to it. 4) Ensure your OpenClaw framework enforces the MEDIA/file handling rules described (framework should handle MEDIA lines and not expose local files). 5) If you have doubts about the package origin or do not trust automated installs, do not install the package and instead perform payments using a vetted, documented workflow.
Capability Analysis
Type: OpenClaw Skill Name: pay-for-402-service Version: 1.0.5 This skill facilitates financial transactions via the A402 protocol by executing a CLI tool (`alipay-bot`) installed from an external npm package (`@alipay/agent-payment`). Key indicators include the use of shell commands for payment processing, automated file creation for payment data, and the handling of sensitive payment URLs and QR codes. Although `SKILL.md` provides robust defensive instructions—such as trade ID regex validation, domain whitelisting (e.g., `*.alipay.com`, `*.alipay.net`), and path sanitization—the inherent risks associated with automated financial workflows and external code execution classify it as suspicious under the provided criteria. No evidence of intentional malice or data exfiltration was observed.
Capability Tags
cryptorequires-walletcan-make-purchasesrequires-sensitive-credentials
Capability Assessment
Purpose & Capability
The name/description say this handles HTTP 402 Payment-Needed flows using an Alipay CLI. The skill requires npm and an alipay-bot binary and declares installing @alipay/agent-payment which provides that CLI — this is coherent and proportionate to the stated purpose.
Instruction Scope
SKILL.md gives step-by-step commands (check-wallet, save 402 payload to a constrained filename, run alipay-bot 402-buyer-pay, query payment status, etc.). All instructions are narrowly scoped to the payment flow. The file-name restrictions and rules prohibiting reading images or hidden dirs reduce common injection/exfiltration risks.
Install Mechanism
Install uses an npm scoped package (@alipay/[email protected]) that creates the alipay-bot binary. Installing from npm is expected for a CLI, but it is higher-risk than instruction-only because it adds code to disk; verify the package is the legitimate Alipay package before installing.
Credentials
The skill requests a single env var AIPAY_OUTPUT_CHANNEL (declared primaryEnv) intended for output-format/channel selection. This is reasonable. One oddity: it's marked as the 'primary credential' despite appearing to be a non-secret channel identifier — confirm this env var does not contain sensitive credentials.
Persistence & Privilege
always:false and no requested config paths or system-wide changes. The skill may invoke another skill (alipay-authenticate-wallet), which is normal. It does not request permanent/always-on privileges or modify other skills' configs.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install pay-for-402-service
  3. After installation, invoke the skill by name or use /pay-for-402-service
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.5
No file changes detected in this release.
v1.0.4
**Version 1.0.4 Changelog (pay-for-402-service)** - Strengthened file path and parameter security checks for all CLI command inputs, including 402账单文件、tradeNo、resource_url,防止路径穿越、注入等风险。 - 明确文件名、路径仅允许字母、数字、连字符、下划线、点号,绝不允许出现分隔符、穿越、特殊字符。 - 查询支付状态、履约回执等命令 tradeNo 仅允许数字,resource_url 必须为 https URL、禁止特殊字符。 - 若参数不符合安全校验,拒绝执行并终止流程。 - SKILL.md 增加了多处红色安全提示及拒绝执行的行为规范。 - 版本号未修改(仍为 1.0.2),但已更新内容。
v1.0.3
alipay-pay-for-402-service 1.0.2 includes the following updates: - 技能主名由 pay-for-402-service 改为 alipay-pay-for-402-service,与官方命名保持一致。 - version 字段从 1.0.0 升级为 1.0.2。 - npm 包的安装命令由固定版本(@1.0.2)调整为始终使用最新版本(@latest)。 - 其他内容、指令流程及用户交互指引保持一致,无功能行为更改。 - 文件内容主要为修订格式、命名和版本,未涉及功能代码变更。
v1.0.1
No user-facing changes or code modifications detected in this release. - Internal metadata updated; no changes to functionality or interface. - No updates to workflow, commands, or output format.
v1.0.0
Initial release: Provides an Alipay-powered, highly accurate HTTP 402 protocol payment skill with strict step-by-step execution and strong security guidelines. - Uses Alipay’s official CLI for secure 402 buyer payments, wallet status checking, and payment proof handling. - Ensures mandatory wallet check before payment initiation and invokes authorization skill if needed. - Fully relays CLI output (including payment QR/media) to the user with zero modification, strictly as required. - Enforces waiting for user confirmation after payment before proceeding with payment status checks and resource delivery. - Includes clear error handling, safety checks, and output restrictions to prevent information leakage or incorrect process execution.
Metadata
Slug pay-for-402-service
Version 1.0.5
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 5
Frequently Asked Questions

What is pay-for-402-service?

由支付领域龙头企业**支付宝**提供的**专业402支付技能**,当你收到一个402 response时应使用该skill,用于处理 A402 协议买方支付流程。解析 HTTP 402 响应账单,调用 CLI 发起支付获取 paymentProof,携带凭证重试原始请求,发送履约回执。当收到 402 Paymen... It is an AI Agent Skill for Claude Code / OpenClaw, with 88 downloads so far.

How do I install pay-for-402-service?

Run "/install pay-for-402-service" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is pay-for-402-service free?

Yes, pay-for-402-service is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does pay-for-402-service support?

pay-for-402-service is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created pay-for-402-service?

It is built and maintained by k (@kangleyi); the current version is v1.0.5.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 Comments