← Back to Skills Marketplace

Payment Skill

Name: Payment Skill
Author: neversatrabbit

by neverSatRabbit · GitHub ↗ · v1.0.3 · MIT-0

cross-platform ⚠ suspicious

190

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install payment-skill

Description

AI 原生支付解决方案 - 提供安全、可靠的支付功能

Usage Guidance

This package contains working payment-client code, but there are several inconsistencies and configuration choices you should check before installing: - Verify the correct API endpoint and owner: files disagree (api.zlclaw.com vs api.alipay.com) and ownerId values differ. Confirm which remote service you will talk to and that you trust that service and owner. - Confirm required environment variables: SKILL.md, _meta.json, and YAML disagree about whether PAYMENT_API_URL is required. Ensure you understand which env vars must be set and where secrets (PAYMENT_API_SECRET) will be stored. - Check logging configuration and file paths: production config mentions /var/log/payment-skill; decide whether logs will contain sensitive data and whether the skill should be allowed to write there. Prefer giving the skill a confined writable path. - Encryption behavior: encryption is optional but DataEncryption.from_env requires a 32-byte PAYMENT_ENCRYPTION_KEY if used. Confirm how the skill uses that key and where it is stored. - Run in an isolated environment first: install into an isolated VM/container or dedicated venv, review network calls (to the configured API_URL), and test with non-production credentials. - Inspect pinned dependencies: requirements are pinned and include cryptography/pycryptodome; consider updating to supported versions if needed and scan dependencies for vulnerabilities. - Source provenance: there is a GitHub issues link and an email in SKILL.md, but registry source/homepage are missing. If you need assurance, ask the maintainer for the canonical repository and verify the commit history and owner before trusting production credentials to this skill. If you cannot verify the endpoint, owner, and configuration, treat this skill as risky for production use (use test credentials in an isolated environment until you can confirm).

Capability Analysis

Type: OpenClaw Skill Name: payment-skill Version: 1.0.3 The payment-skill bundle is a well-structured implementation of a payment processing service. It follows security best practices, including HMAC-SHA256 request signing in `payment_api_client.py`, input sanitization in `security.py`, and sensitive data masking in `diagnose.py` and `utils.py`. The code logic is consistent with the stated purpose in `SKILL.md`, and no evidence of data exfiltration, malicious execution, or prompt injection was found.

Capability Assessment

⚠ Purpose & Capability

The code and runtime instructions implement a payment client and legitimately require PAYMENT_API_KEY and PAYMENT_API_SECRET; that matches the stated purpose. However metadata and configuration disagree in several places: _meta.json and src/payment_skill.yaml list PAYMENT_API_URL as required whereas SKILL.md lists it as optional; default API endpoints differ across files (api.zlclaw.com in SKILL.md/config, api.alipay.com in payment_skill.yaml). Owner IDs also differ between the registry metadata and _meta.json. These inconsistencies make it unclear which endpoint and configuration are authoritative.

ℹ Instruction Scope

SKILL.md instructs the agent to run skill_cli.py and to set PAYMENT_API_KEY/SECRET — which is consistent with the code. The runtime instructions do not direct the agent to read unrelated system credentials or exfiltrate data. The code does load config files from config/<env>.env if env vars are missing, and the diagnostic script inspects environment variables (masking keys when printing). That behavior is expected for a payment client, but you should be aware the skill will read env vars and local config files if present.

ℹ Install Mechanism

There is no registry install spec but the package includes a local scripts/setup.sh that creates a virtualenv and pip-installs pinned packages from local requirements files. Dependencies are pulled from PyPI (no arbitrary external binary downloads). This is typical but means installing the skill will install Python packages into a venv — review pinned versions before installation.

⚠ Credentials

The skill legitimately needs API key/secret; these are declared in various places. However required/optional env-vars are inconsistent across SKILL.md, _meta.json, and payment_skill.yaml (PAYMENT_API_URL appears as required in some metadata and optional in SKILL.md). The skill also references PAYMENT_ENCRYPTION_KEY (encryption) and PAYMENT_LOG_FILE (a file path possibly under /var/log). The yaml requests storage.read/storage.write/crypto.sign permissions. Requesting write access to system log paths or using an encryption key is plausible for a payment service, but the mismatched declarations and the potential for log files to contain sensitive info are notable and should be validated.

ℹ Persistence & Privilege

always:false and agent autonomous invocation is allowed (default) — nothing unusual. The skill writes logs to a local logs/ directory and production config suggests /var/log/payment-skill — writing to system log directories may require elevated permissions. The install script creates a venv in the project folder (no system-wide install). The yaml's storage permissions and the production log path are things to consider for deployment and least privilege.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install payment-skill
After installation, invoke the skill by name or use /payment-skill
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.3

- Updated documentation with detailed usage instructions, tool descriptions, and setup guides. - SKILL.md now includes clear examples for all tools: create_payment, query_payment, and refund_payment. - Expanded environment variable details, listing both required and optional fields. - Outlined security features and technical requirements for deployment. - Added support and contact information for technical help and issue reporting.

Metadata

Slug payment-skill

Version 1.0.3

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is Payment Skill?

AI 原生支付解决方案 - 提供安全、可靠的支付功能. It is an AI Agent Skill for Claude Code / OpenClaw, with 190 downloads so far.

How do I install Payment Skill?

Run "/install payment-skill" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Payment Skill free?

Yes, Payment Skill is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Payment Skill support?

Payment Skill is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Payment Skill?

It is built and maintained by neverSatRabbit (@neversatrabbit); the current version is v1.0.3.

More Skills