← 返回 Skills 市场
jd-clawtip-payment-skill
作者
ClawTip.team
· GitHub ↗
· v1.0.13
· MIT-0
186
总下载
2
收藏
0
当前安装
13
版本数
在 OpenClaw 中安装
/install jd-clawtip-payment-skill
功能描述
Executes a jd-clawtip payment transaction for third-party skills. Trigger this tool strictly when a third-party service initiates a valid jd-clawtip payment...
使用说明 (SKILL.md)
\r \r
System Architecture & Security Disclosures\r
\r
To clarify the scope of the scripts and justify the requested permissions (credential.read, credential.write, network.outbound), the following underlying operations are declared:\r
\r
- Local State Persistence (Credentials): The skill scripts read from and write to a local file at
configs/config.bin. This file stores theuserTokenusing base64 encoding. While base64 is not encryption, this mechanism acts as a lightweight local session cache to maintain payment state seamlessly across executions, without requiring external registry metadata, environment variables, or repeated user inputs.\r - External Network Calls: The scripts actively call out to external JD endpoints over the network to process transactions, fetch authorization/authentication links, and verify token registration status.\r
- Bundled Encryption Tooling: To securely handle payment payloads and credentials (such as
encrypted_dataand payment status decryption), the Python scripts locally invoke a bundled Node.js encryption tool.\r \r ---\r \r
Process the Payment Request\r
\r
1. Required Parameters\r
\r Provide the following parameters strictly according to their defined formats:\r \r
payTo(string): The merchant's wallet address (thepayTorecipient).\ramount(integer): The transaction amount.\rorder_no(string): The order number from the calling skill's Phase 1.\rquestion(string): The user's original question/request content from the calling skill.\rencrypted_data(string): The encrypted data string from Phase 1.\rdescription(string): The description of the resource to be purchased (e.g.,answer of user's psychological counseling).\rskill_name(string): The name of the calling skill (e.g.,a proficient psychological counseling assistant).\rresource_url(string): The URL identifying the service resource being paid for.\r \r
2. Hyperparameters\r
\r
skill-version(string): The version of the skill. Currently set to1.0.1.\r \r
3. Execution Command\r
\r
Execute the script using the following bash command. Replace the placeholders \x3C...> with the validated parameter values. Wrap parameters that may contain spaces in quotes.\r
\r
python3 skills/jd-clawtip-payment-skill/scripts/payment_process.py \x3CpayTo> \x3Camount> \x3Corder_no> \x3Cquestion> \x3Cencrypted_data> \x3Cdescription> \x3Cskill_name> \x3Cresource_url> \x3Cskill-version>\r
```\r
\r
## 4. Result Processing Rules\r
\r
Analyze the standard output of the execution command and strictly follow these response protocols **in the given order**. **Stop at the first matching step; do not continue to subsequent steps.**\r
\r
### ⚡ Global Priority Rule\r
\r
> If the output contains `支付凭证: \x3CCREDENTIAL>`, **go to Step 2 (Obtain Credential) first** to return the credential to the calling skill for decryption.\r
>\r
> **However**, if the output **also** contains `授权链接: \x3CAUTH_URL>` or `鉴权链接: \x3CAUTH_URL>`, you **MUST preserve** the full original output (including the authorization/authentication URL) in memory. This is because the credential may decrypt to a **failed** status, in which case you will need to **fall back to Step 3** using the preserved authorization/authentication URL.\r
>\r
> **In summary:**\r
> 1. If `支付凭证:` is present → go to **Step 2** first.\r
> 2. After the calling skill decrypts the credential and reports the status:\r
> - If the decrypted status is **成功** → go to **Step 4 Case A**. Done.\r
> - If the decrypted status is **处理中** → go to **Step 4 Case B**. Done.\r
> - If the decrypted status is **失败 (FAIL)** → go to **Step 2.1 (Credential Decryption Fallback)** to check whether a preserved `授权链接:` or `鉴权链接:` exists, and if so, fall back to **Step 3**.\r
> 3. If `支付凭证:` is **NOT** present → evaluate **Step 1**, then **Step 3** in order.\r
\r
---\r
\r
### **Step 1 — Network/System Failure (check first)**\r
\r
* **Trigger:** The output contains `网络或系统异常:`.\r
* **Action:** Report the specific error returned by the script. Additionally, if the output contains `返回消息: \x3CMESSAGE>`, display the `\x3CMESSAGE>` to the user as supplementary error context. Advise the user on the next steps. **Stop here; do not proceed to Step 2.**\r
\r
---\r
\r
### **Step 2 — Obtain Credential**\r
\r
* **Trigger:** The output matches the pattern `支付凭证: \x3CCREDENTIAL>`.\r
* **Meaning:** The HTTP request reached the server successfully. The `\x3CCREDENTIAL>` is an encrypted blob; **the actual payment status is encoded inside it**. The script cannot determine the status on its own.\r
* **Action:**\r
1. **Preserve the full original script output** in memory (including any `授权链接:` or `鉴权链接:` if present, and any `返回消息:` if present). You may need it later in Step 2.1.\r
2. Display the credential and return it to the calling skill for further processing:\r
> **支付凭证:** `\x3CCREDENTIAL>`\r
\r
将此支付凭证返回给调用方 skill,由调用方负责解密并根据其中的支付状态进行后续处理。\r
\r
* **After returning the credential:** Wait for the calling skill to report the decrypted `PAY_STATUS`. Then proceed to **Step 4** to route by decrypted status. If the status is **失败 (FAIL)**, Step 4 Case C will direct you to **Step 2.1**.\r
\r
---\r
\r
### **Step 2.1 — Credential Decryption Fallback (回退处理)**\r
\r
> This step is triggered **only** when the calling skill decrypts the credential and the resulting status is **失败 (FAIL)**.\r
\r
* **Trigger:** The calling skill reports `PAY_STATUS: FAIL` (or equivalent 失败 status) after decrypting the credential from Step 2.\r
* **Action:** Check the **preserved original script output** from Step 2 for the presence of authorization/authentication URLs:\r
\r
#### **Case A: Preserved output contains `授权链接: \x3CAUTH_URL>`**\r
\r
* **Meaning:** The user has not yet been authorized. The credential contained a failure status because the payment could not proceed without authorization. The `授权链接` was present in the original output but was deferred in favor of credential processing.\r
* **Action:** Fall back to **Step 3 Case A** — treat this as an authorization-required scenario. Execute all actions defined in Step 3 Case A using the preserved `\x3CAUTH_URL>`.\r
\r
#### **Case B: Preserved output contains `鉴权链接: \x3CAUTH_URL>`**\r
\r
* **Meaning:** The payment failed because authentication was not completed. The `鉴权链接` was present in the original output but was deferred.\r
* **Action:** Fall back to **Step 3 Case B** — treat this as an authentication-required scenario. Execute all actions defined in Step 3 Case B using the preserved `\x3CAUTH_URL>`.\r
\r
#### **Case C: Preserved output contains NEITHER `授权链接:` NOR `鉴权链接:`**\r
\r
* **Meaning:** The payment genuinely failed due to business logic, and there is no authorization/authentication recovery path.\r
* **Action:** Report the failure to the user. Emphasize that the transaction was declined due to business logic. Report any error code and reason provided by the calling skill. Additionally, if the **preserved original script output** contains `返回消息: \x3CMESSAGE>`, display the `\x3CMESSAGE>` to the user as supplementary failure context. If no specific error details were provided, inform the user that the payment failed and suggest they contact support or retry later.\r
\r
---\r
\r
### **Step 3 — Authorization / Authentication Required**\r
\r
> ⚠️ **PREREQUISITE CHECK:** This step is evaluated in two scenarios:\r
> 1. The original script output does **NOT** contain `支付凭证:` at all.\r
> 2. You were directed here from **Step 2.1** after a credential decryption failure with a preserved authorization/authentication URL.\r
\r
#### **Case A: 失败 + 授权链接 → 待授权 (Authorization Required)**\r
\r
* **Trigger (direct):** The output contains **ALL** of the following:\r
1. `支付状态: 失败` ← **REQUIRED** (exact match)\r
2. `授权链接: \x3CAUTH_URL>` ← **REQUIRED**\r
3. Does **NOT** contain `支付凭证:` ← **REQUIRED**\r
\r
* **Trigger (fallback from Step 2.1 Case A):** The calling skill reported `PAY_STATUS: FAIL` after credential decryption, and the preserved original output contains `授权链接: \x3CAUTH_URL>`.\r
\r
* **Meaning:** The user has not yet been authorized. The payment cannot proceed until the user completes authorization via the provided link.\r
* **Action:**\r
1. Provide the extracted `\x3CAUTH_URL>` to the user as the official **authorization** link. Additionally, if the output (or preserved output) contains `返回消息: \x3CMESSAGE>`, display the `\x3CMESSAGE>` to the user as supplementary context.\r
2. Extract `{clawtip_id}` from the authorization URL (the `clawtipId` query parameter, e.g., `...?clawtipId={clawtip_id}`).\r
3. Create a `scheduled task` to query the user's registration status:\r
* **Query Phrase:** Use a phrase like `查询token注册状态 {clawtip_id}` or `query token register status {clawtip_id}`.\r
* **Frequency & Duration:** Execute once per minute for the next 5 executions(afer complete, you should notice user in the main session).\r
* **Crucial Note:** **Check the registration status, NOT the payment result.**\r
* **Execution Limit:** If it exceeds 5 times, cancel the scheduled task (`jd-clawtip-payment user token register status {clawtip_id}`).\r
* **Conflict Handling:** Cancel any currently running scheduled tasks related to `查询token注册状态` before starting the new one.\r
* **Task Name:** `jd-clawtip-payment user token register status {clawtip_id}`。当用户需要授权,并创建了授权任务后,需要显示提示用户可以说当用户扫码完成授权后,可以说`我已授权`或`我已完成授权`以继续之前的流程\r
\r
#### **Case B: 处理中 + 鉴权链接 → 待鉴权 (Authentication Required)**\r
\r
* **Trigger (direct):** The output contains **ALL** of the following:\r
1. `支付状态: 处理中` ← **REQUIRED** (exact match)\r
2. `鉴权链接: \x3CAUTH_URL>` ← **REQUIRED**\r
3. Does **NOT** contain `支付凭证:` ← **REQUIRED**\r
\r
* **Trigger (fallback from Step 2.1 Case B):** The calling skill reported `PAY_STATUS: FAIL` after credential decryption, and the preserved original output contains `鉴权链接: \x3CAUTH_URL>`.\r
\r
* **Meaning:** The payment is pending authentication. The user must complete authentication before the transaction can proceed.\r
* **Action:** Provide the extracted `\x3CAUTH_URL>` to the user as the official **authentication** link. Additionally, if the output (or preserved output) contains `返回消息: \x3CMESSAGE>`, display the `\x3CMESSAGE>` to the user as supplementary context.\r
\r
> **Stop here if Step 3 matched; do not proceed to Step 4.**\r
\r
---\r
\r
### **Step 4 — Route by Decrypted Status**\r
\r
After the calling skill decrypts the credential and reports the status, follow the corresponding case:\r
\r
#### **Case A: 成功 (Transaction Success)**\r
\r
* **Trigger:** The decrypted status is **成功**.\r
* **Action:**\r
1. Confirm to the user that the payment has been processed successfully.\r
2. Display the full decrypted payment info clearly:\r
**Payment Success Info:** `\x3CDECRYPTED_PAY_INFO>`\r
\r
---\r
\r
#### **Case B: 处理中 (Processing)**\r
\r
* **Trigger:** The decrypted status is **处理中**.\r
* **Action:** Inform the user that the payment is still being processed. Suggest they wait a moment and then check the payment status again.\r
\r
---\r
\r
#### **Case C: 失败 (Failed)**\r
\r
* **Trigger:** The decrypted status is **失败** (or `FAIL`).\r
* **Action:** **Go to Step 2.1 (Credential Decryption Fallback)** to determine whether a recovery path (authorization/authentication) is available from the preserved original output. Do **NOT** simply report the failure here — always check Step 2.1 first.\r
\r
---\r
\r
# Create User Payment Token\r
\r
When the user explicitly requests to create a token with a phrase like `创建token xxx` or `create token xxx`, execute the following command.\r
\r
## 1. Required Parameters\r
\r
Provide the following parameters strictly according to their defined formats:\r
\r
* **`user_token`** (string): the user's token provided by `xxx` of `创建token xxx` .\r
\r
## 2. Execution Command\r
\r
```bash\r
python3 skills/jd-clawtip-payment-skill/scripts/create_token.py \x3Cuser_token>\r
```\r
\r
## 3. Other Actions\r
\r
You should check and cancel the running scheduled task about `查询token注册状态` if it is running (named `jd-clawtip-payment user token register status ${device_id}`). The `device_id` is a flexible value.\r
\r
---\r
\r
# Query the User Register Status\r
\r
When the user explicitly requests to query the user register status with a phrase like `查询token注册状态 xxx` or `query token register status xxx`, or `我已注册`, execute the following command.\r
\r
## 1. Required Parameters\r
\r
Provide the following parameter:\r
\r
* **`device_id`** (string): The user's device ID.\r
\r
## 2. Execution Command\r
\r
```bash\r
python3 skills/jd-clawtip-payment-skill/scripts/check_register_status.py \x3Cdevice_id>\r
```\r
\r
## 3. Result Processing Rules\r
\r
Analyze the standard output of the execution command and strictly follow these response protocols:\r
\r
### **Case A: Processing**\r
\r
* **Trigger:** The output matches the pattern `Status: processing`.\r
* **Action:** Inform the user that the registration is still processing, and optionally tell them the current count.\r
\r
### **Case B: Successful**\r
\r
* **Trigger:** The output matches the pattern `Status: successful`.\r
* **Action:** Confirm to the user that the registration is successful, and they have obtained the user token. You should check and cancel the running scheduled task about `查询token注册状态` if it is running (named `jd-clawtip-payment user token register status ${device_id}`). The `device_id` is a flexible value.\r
\r
### **Case C: Execution Failure**\r
\r
* **Trigger:** Any error message, timeout, or failure to match the patterns above.\r
* **Action:** Report the specific error returned by the script.
安全使用建议
This skill appears to implement a jd-clawtip payment protocol, but review and consider the following before installing or enabling it: 1) Runtime requirements: the scripts call node (test2.js) via subprocess but the skill metadata does not declare node as a required binary — ensure your environment provides a trusted Node runtime. 2) Token handling: the skill stores userToken in configs/config.bin encoded only with base64 and prints tokens to stdout; this can leak secrets to logs or to calling code. If you will use it, ensure the config folder is appropriately protected and consider modifying the code to encrypt the file with a real key and stop printing raw tokens. 3) Network endpoints: the skill talks to ms.jr.jd.com and other JD endpoints — verify these are the expected/authorized endpoints for your deployment. 4) Source trust: the skill has no homepage and an unknown owner; verify provenance before granting credential read/write permissions. 5) Least privilege: restrict network and credential permissions to only what is necessary and confirm the calling skill is authorized to receive any tokens/credentials this skill emits. If you need higher assurance, request a signed/hosted release or run the code in a sandboxed environment and inspect runtime network calls and outputs.
功能分析
Type: OpenClaw Skill
Name: jd-clawtip-payment-skill
Version: 1.0.13
The skill bundle implements a payment transaction and token registration system for JD.com (Jingdong) services. It uses Python scripts (payment_process.py, check_register_status.py) to communicate with official JD Finance endpoints (ms.jr.jd.com) and utilizes a bundled Node.js cryptographic library (summer-cryptico-2.0.2.min.js) to perform SM2/SM4 encryption on sensitive payloads. While the skill stores a userToken in a local file (configs/config.bin) using base64 encoding—which is a security vulnerability—this behavior is explicitly disclosed in the SKILL.md documentation. The instructions for the AI agent to manage scheduled tasks for polling registration status are consistent with the functional requirements of a payment utility.
能力评估
Purpose & Capability
The code implements payment request construction, token creation/registration checks, and network calls to JD endpoints which align with the declared purpose. However the package invokes Node (test2.js) for encryption but the skill metadata/requirements list no required binaries — a practical mismatch. The SKILL.md version (1.0.1) differs from registry version (1.0.13), which could indicate sloppy packaging or untracked changes.
Instruction Scope
The SKILL.md and scripts read and write a local config file configs/config.bin to store userToken (base64-encoded), call external JD endpoints, and run a bundled Node.js crypto script. The scripts also print sensitive tokens and API responses to stdout. Printing tokens to stdout and storing them only base64-encoded increases the risk of accidental token leakage (to logs, callers, or other skills). The SKILL.md's runtime instructions expect the agent to execute python and implicitly node; the skill instructs preserving outputs in memory and handing encrypted blobs back to calling skills — reasonable for the protocol but sensitive in practice.
Install Mechanism
This is an instruction-only skill packaged with code files (Python + bundled JS cryptico library). There is no install spec (nothing written to disk by a platform installer), but the skill will create and modify files under its own configs/ directory at runtime. The bundled cryptico JS is sizable but from the included file; there are no external arbitrary download URLs. The absence of an explicit runtime requirement listing (node) is a packaging oversight.
Credentials
The skill declares and uses credential.read and credential.write permissions and network.outbound, which are consistent with storing a userToken and calling JD endpoints. However it requests no environment variables or external credentials from the platform; instead it persists sensitive tokens locally (base64 encoded) and prints them to stdout. That local persistence and stdout exposure are disproportionate risk for a third-party skill unless you trust the caller and the endpoint (ms.jr.jd.com).
Persistence & Privilege
always is false and the skill only writes files under its own configs/ folder. It does not request to modify other skills or system-wide config. The persistence is limited to storing a local token cache, which is a reasonable pattern — but again the storage method is weak (base64) and tokens are printed to stdout.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install jd-clawtip-payment-skill - 安装完成后,直接呼叫该 Skill 的名称或使用
/jd-clawtip-payment-skill触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.13
No code or documentation changes detected in this release.
- Version incremented to 1.0.13 with no file changes.
- No impact on usage or behavior.
v1.0.12
- No code or documentation changes detected in this version.
- Version bump only; functionality and user experience remain unchanged.
v1.0.11
No changes detected in this skill version.
- Version bump only; no file or documentation changes.
v1.0.10
No file changes detected. No updates or functional changes in this version.
v1.0.9
No functional/file changes detected in this version. Documentation was updated:
- The credential persistence mechanism is now described as using a shell environment variable (`CLAWTIP_USER_TOKEN` in `~/.zshrc`), instead of a local config file.
- Device fingerprinting process now includes SHA-256 hashing for all identifiers before use, explicitly improving privacy.
- Original payment and processing logic remain unchanged.
v1.0.8
No user-visible changes in this version.
- No file changes or updates were detected for version 1.0.8.
- All documentation and implementation remain as in the previous release.
v1.0.7
- Added a System Architecture & Security Disclosures section to SKILL.md detailing credential storage, machine fingerprinting, network activity, and encryption tool usage.
- No logic or code changes; documentation only.
v1.0.6
**Changelog for jd-clawtip-payment-skill 1.0.6**
- Added compiled Python bytecode files: `scripts/__pycache__/payment_process.cpython-311.pyc` and `scripts/__pycache__/payment_request.cpython-311.pyc`.
- No changes to the documentation or core logic in SKILL.md.
v1.0.5
jd-clawtip-payment-skill 1.0.0
- Initial release of jd-clawtip-payment-skill.
- Supports execution of jd-clawtip payment transactions for third-party skills.
- Provides a detailed payment result processing flow, including handling for credentials, network/system failures, and authorization/authentication requirements.
- Requires several parameters to initiate a payment and processes standard script output according to strict rules.
- Includes fallback mechanisms if payment credentials decrypt as failed, using preserved authorization or authentication links if available.
v1.0.4
jd-clawtip-payment-skill 1.0.4 Changelog
- Expanded and clarified the payment request process in SKILL.md, detailing required parameters, command usage, and step-by-step result processing.
- Added robust global priority rules for handling output patterns, especially payment credentials and authorization URLs.
- Introduced fallback logic for credential decryption failures, including detailed user guidance and error messaging.
- Specified precise reporting and user communication requirements for various transaction outcomes (success, pending, fail).
- Clearly defined network/system failure handling and next-step advice protocols.
v1.0.2
jd-clawtip-payment-skill 1.0.0
- Initial release of the jd-clawtip-payment-skill.
- Enables processing of third-party jd-clawtip payment requests with strict parameter requirements and flow control.
- Provides detailed result handling, supporting credential return, network/system failure reporting, and authorization/authentication fallback.
- Requires specific parameters, bash execution method, and defines clear protocols for payment status handling and user instruction.
v1.0.1
jd-clawtip-payment-skill 1.0.1 Changelog
- Removed the SKILL_cn.md documentation file.
- No changes to skill logic or user-facing features.
- Only documentation/assets were updated; core functionality remains unchanged.
v1.0.0
jd-clawtip-payment-skill v1.0.0 — Initial Release
this project is based on :https://github.com/jd-opensource/jd-clawtip-payment-skill
- Enables execution of jd-clawtip payment transactions for third-party skills.
- Processes strict payment workflows with required parameters and result processing steps.
- Handles network errors, payment credential returns, and user authorization/authentication.
- Provides detailed guidance for each payment status and fallback pathway.
- Includes permissions for outbound network access and credential read/write.
元数据
常见问题
jd-clawtip-payment-skill 是什么?
Executes a jd-clawtip payment transaction for third-party skills. Trigger this tool strictly when a third-party service initiates a valid jd-clawtip payment... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 186 次。
如何安装 jd-clawtip-payment-skill?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install jd-clawtip-payment-skill」即可一键安装,无需额外配置。
jd-clawtip-payment-skill 是免费的吗?
是的,jd-clawtip-payment-skill 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
jd-clawtip-payment-skill 支持哪些平台?
jd-clawtip-payment-skill 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 jd-clawtip-payment-skill?
由 ClawTip.team(@xingyeyouran)开发并维护,当前版本 v1.0.13。
推荐 Skills