← Back to Skills Marketplace
支付宝支付异步通知助手
by
zhangke091
· GitHub ↗
· v1.0.1
· MIT-0
94
Downloads
1
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install alipay-notify
Description
支付宝异步通知中继:本地开发无公网 IP 也能收到支付宝异步通知。 Skill 自包含 CLI 脚本,安装后 Agent 自动执行注册 → 获取 notify_url → 实时监听 → 查看原始报文 → 本地验签全流程。 仅依赖 Python 3,无需部署服务端。仅限联调环境。
README (SKILL.md)
支付宝异步通知中继
仅限联调/沙箱/内部调试,不可用于生产。
它解决什么问题
本地开发环境没有公网 IP,无法接收支付宝异步通知(notify_url)。
本 Skill 内置 CLI 脚本 + 云端中继服务,安装后 Agent 直接运行即可在本地实时收到支付宝的异步通知。
支付宝 ──POST──► 云端中继 /notify/\x3Ctoken>
│
└──► 开发者本机 CLI 实时拉取
├─ 查看原始报文
├─ RSA2 验签
└─ 对接本地业务逻辑
Skill 目录结构
alipay-notify-relay/
├── SKILL.md # 本文件(Agent 指令)
└── scripts/
└── cli.py # CLI 工具(注册/监听/查询/验签/导出)
Agent 执行规则
本 Skill 的所有 CLI 操作由 Agent 直接在终端执行,开发者无需手动输入命令。
Agent 必须先定位 CLI 脚本路径:SKILL.md 同级目录下的 scripts/cli.py。
执行方式:
# SKILL_DIR 是 SKILL.md 所在目录的绝对路径
python3 "$SKILL_DIR/scripts/cli.py" \x3Ccommand> [args]
- 配置自动保存到开发者当前工作目录的
.alipay-notify.json - 验签在开发者本地完成,云端不存私钥
前置条件
- Python 3.6+(macOS/Linux 自带)
- 验签(可选)需额外安装:
pip install cryptography - 无需部署服务端 — 中继服务已在云端运行,安装 Skill 后直接用 CLI 注册即可
完整流程
Step 1:注册(获取异步通知地址)
Agent 执行:
python3 "$SKILL_DIR/scripts/cli.py" register --server http://8.136.213.223:9010 --name \x3C开发者名称>
- 默认中继服务地址:
http://8.136.213.223:9010 - 如果配置文件中已有
server_url,可省略--server - 不带任何参数则进入交互式引导
输出 notify_url,开发者将其传入支付下单接口即可。
同一 IP 只能注册一次。重复执行返回已有凭证。
Step 2:支付接口传入 notify_url
notify_url 是调用下单接口的参数,不是在开放平台控制台配置的。
Java:
request.setNotifyUrl("\x3Cnotify_url>");
Python:
result = client.page_execute(request, notify_url="\x3Cnotify_url>")
Step 3:支付成功后获取异步通知
Agent 执行:
# 实时监听(不自动确认,保留支付宝重试能力)
python3 "$SKILL_DIR/scripts/cli.py" listen
# 查询已收到的通知
python3 "$SKILL_DIR/scripts/cli.py" list
# 查看某条通知完整内容
python3 "$SKILL_DIR/scripts/cli.py" get \x3Cid>
# 导出并打印原始报文
python3 "$SKILL_DIR/scripts/cli.py" export \x3Cid> && cat notify_\x3Cid>.txt
ack 策略:
listen默认不加--auto-ack,避免自动确认导致支付宝停止重试。 仅当开发者明确要求「自动确认」时才使用listen --auto-ack。 手动确认单条:python3 "$SKILL_DIR/scripts/cli.py" ack \x3Cid>
Step 4:本地验签
开发者在自己项目中用支付宝公钥做 RSA2 验签。
CLI 快速验签(可选):
- 配置支付宝公钥(仅首次):向开发者索取支付宝公钥(Base64 格式,以
MIIBIjAN开头),写入.alipay-notify.json:
# Agent 直接编辑 .alipay-notify.json,添加 alipay_public_key 字段
# 值为支付宝公钥 Base64 字符串(不含 PEM 头尾)
- 执行验签:
python3 "$SKILL_DIR/scripts/cli.py" verify \x3Cid>
Step 5:重新获取异步地址 / 查询通知
# 重新获取(返回已有凭证)
python3 "$SKILL_DIR/scripts/cli.py" register
# 查看本地配置
python3 "$SKILL_DIR/scripts/cli.py" config
# 查询通知列表
python3 "$SKILL_DIR/scripts/cli.py" list
# 检查服务状态
python3 "$SKILL_DIR/scripts/cli.py" status
CLI 命令速查
所有命令格式:python3 "$SKILL_DIR/scripts/cli.py" \x3Ccommand> [args]
| 命令 | 说明 |
|---|---|
register |
注册,获取 notify_url(支持 --server、--name 或交互式) |
listen |
实时监听通知(支持 --out-trade-no 按订单过滤) |
listen --auto-ack |
监听 + 自动确认(仅开发者明确要求时使用) |
list |
查询最近通知(支持 --limit、--out-trade-no、--trade-status) |
get \x3Cid> |
查看通知详情(含格式化原始报文) |
export \x3Cid> |
导出原始报文到文件(支持 -o 自定义文件名,默认 notify_\x3Cid>.txt) |
ack \x3Cid> |
确认通知(停止支付宝重试) |
verify \x3Cid> |
验签通知(需先配置 alipay_public_key) |
status |
检查服务状态 |
config |
查看当前配置 |
安全与容量
| 机制 | 默认值 |
|---|---|
| 通知保留 | 1 天自动清除 |
| 每租户通知上限 | 200 条 |
| 租户注册上限 | 1000 |
| 每租户 SSE 连接 | 3 个 |
| 同一 IP 限注册 | 1 次 |
| 通知入口限流 | 300/min |
| 注册限流 | 10/hour |
Agent 约束
- 不存私钥 — 云端无商户私钥
- 验签在本地 — 开发者自行完成
- 报文原样 — raw_body 是支付宝的原始报文
- 租户隔离 — 数据严格隔离,无法访问他人
- 不主动 ack — 查看/查询通知时不自动确认,保留支付宝重试能力。仅当开发者明确要求时才 ack
- 原始报文必须打印 — 当开发者要求查看原始内容时,用
export导出后cat打印完整 URL 编码原始报文到终端(get命令展示的是格式化版本,不是原始报文)
Usage Guidance
This skill appears to do what it claims (provide a cloud relay for Alipay notify callbacks), but exercise caution before installing:
- Verify the relay endpoint: the default server is an IP (http://8.136.213.223:9010). Confirm you trust that host or supply your own relay URL via NOTIFY_API_URL/--server. Using an unknown remote relay means unencrypted notify bodies and metadata pass through that service.
- Inspect the bundled scripts/cli.py yourself (it is included) to confirm behavior. The CLI is the runtime surface; it performs network calls, saves config files, and can print raw POST bodies.
- Run in an isolated environment first (container/VM) or from a disposable directory so .alipay-notify.json is not written into a source repo. The tool searches upward for a .git root and may write config into project directories.
- Do not provide private merchant keys or other secrets to the relay. The tool expects an Alipay public key (used locally for verify) — never upload your private keys to the relay.
- Prefer using your own trusted relay or self-hosting if you cannot verify the remote service operator. If you proceed, set NOTIFY_API_URL and NOTIFY_API_KEY explicitly and review responses returned by /register and /health before handing over any production or sensitive data.
If you want higher assurance, ask the maintainer for a canonical domain, a signed release, or the ability to self-host the relay. If you cannot verify the remote service operator, treat this skill as potentially exposing webhook payloads to a third party.
Capability Analysis
Type: OpenClaw Skill
Name: alipay-notify
Version: 1.0.1
The skill is a developer utility designed to relay Alipay asynchronous notifications to a local environment via a remote middleman server (8.136.213.223). The Python CLI script (scripts/cli.py) uses only standard libraries, follows its stated logic for registration and SSE-based listening, and performs RSA2 verification locally to ensure sensitive keys are not sent to the cloud. No evidence of data exfiltration, malicious command execution, or deceptive prompt injection was found.
Capability Assessment
Purpose & Capability
The name/description (Alipay async notify relay for local development) matches the included CLI and runtime instructions: the skill registers with a cloud relay, returns a notify_url, listens for notifications, and performs local RSA2 verification. However the skill relies on a specific remote relay (default http://8.136.213.223:9010) rather than a well-known vendor domain; that is unusual but explainable if the author operates their own relay.
Instruction Scope
SKILL.md instructs the Agent to execute the bundled scripts/cli.py directly and to edit/read configuration files in the developer's current working directory and home (~/.alipay-notify/config.json). The CLI also reads environment variables (NOTIFY_API_URL, NOTIFY_API_KEY, ALIPAY_PLATFORM_PUBLIC_KEY) even though the skill metadata declares none. The Agent will perform network registration and streaming with the remote relay; these operations access local filesystem paths outside the skill directory (.alipay-notify.json, possibly project root) and make outbound requests to an unverified host — this scope is broader than what the SKILL.md metadata declared.
Install Mechanism
There is no installer or external download — the code is bundled with the skill (instruction-only install). This lowers supply-chain risk, but the bundled CLI communicates with a hardcoded remote server IP (http://8.136.213.223:9010). Because the relay is an external, opaque service (IP, not a known release host), network interactions are a potential privacy/security concern even though nothing is downloaded at install time.
Credentials
The skill metadata lists no required environment variables, but the CLI explicitly recognizes and uses NOTIFY_API_URL, NOTIFY_API_KEY, and ALIPAY_PLATFORM_PUBLIC_KEY. It will store configuration in .alipay-notify.json in the current working directory (and also looks in project root and home). Requesting or using an API key for the relay is proportional to the purpose, but the fact that these env vars are not declared in the skill metadata is an inconsistency. Also the CLI suggests the Agent can edit the local config (write to cwd), which could inadvertently write sensitive values into a project repo if run from a repo root.
Persistence & Privilege
The skill does not request always:true and will not force-install itself. It will create and update a configuration file in the user's working directory and may use a per-tenant API key/token returned by the relay. That file persistence is expected for a CLI tool, but users should be aware the file may end up in a project directory or home folder and contain tokens/urls.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install alipay-notify - After installation, invoke the skill by name or use
/alipay-notify - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
alipay-notify 1.0.1
- No code or documentation changes detected in this release.
- Version bump only; functionality and usage remain unchanged.
v1.0.0
- Initial release of alipay-notify-relay skill.
- Enables local development to receive Alipay asynchronous notifications without a public IP via a built-in CLI and cloud relay service.
- All key actions (register, listen, query, ack, verify) are automated through CLI commands.
- No need to deploy a server; cloud relay is provided.
- Notifications are retained for 1 day and can be exported, viewed, and verified locally.
- Designed exclusively for integration/sandbox/internal debugging; not for production use.
Metadata
Frequently Asked Questions
What is 支付宝支付异步通知助手?
支付宝异步通知中继:本地开发无公网 IP 也能收到支付宝异步通知。 Skill 自包含 CLI 脚本,安装后 Agent 自动执行注册 → 获取 notify_url → 实时监听 → 查看原始报文 → 本地验签全流程。 仅依赖 Python 3,无需部署服务端。仅限联调环境。 It is an AI Agent Skill for Claude Code / OpenClaw, with 94 downloads so far.
How do I install 支付宝支付异步通知助手?
Run "/install alipay-notify" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is 支付宝支付异步通知助手 free?
Yes, 支付宝支付异步通知助手 is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does 支付宝支付异步通知助手 support?
支付宝支付异步通知助手 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created 支付宝支付异步通知助手?
It is built and maintained by zhangke091 (@zhangke091); the current version is v1.0.1.
More Skills