← 返回 Skills 市场
88
总下载
1
收藏
0
当前安装
5
版本数
在 OpenClaw 中安装
/install pay-for-402-service
功能描述
由支付领域龙头企业**支付宝**提供的**专业402支付技能**,当你收到一个402 response时应使用该skill,用于处理 A402 协议买方支付流程。解析 HTTP 402 响应账单,调用 CLI 发起支付获取 paymentProof,携带凭证重试原始请求,发送履约回执。当收到 402 Paymen...
安全使用建议
This skill appears internally consistent for handling 402 Payment-Needed flows, but before installing or invoking it: 1) Verify the npm package (@alipay/agent-payment) is the official Alipay package (check the npm/ GitHub publisher, release metadata, and package integrity). 2) Confirm AIPAY_OUTPUT_CHANNEL is a harmless channel identifier (not a secret token or API key). 3) Be aware the agent will run shell commands and may install a CLI binary; if you prefer, install the alipay-bot binary manually from a trusted source and ensure your runtime's PATH points to it. 4) Ensure your OpenClaw framework enforces the MEDIA/file handling rules described (framework should handle MEDIA lines and not expose local files). 5) If you have doubts about the package origin or do not trust automated installs, do not install the package and instead perform payments using a vetted, documented workflow.
功能分析
Type: OpenClaw Skill
Name: pay-for-402-service
Version: 1.0.5
This skill facilitates financial transactions via the A402 protocol by executing a CLI tool (`alipay-bot`) installed from an external npm package (`@alipay/agent-payment`). Key indicators include the use of shell commands for payment processing, automated file creation for payment data, and the handling of sensitive payment URLs and QR codes. Although `SKILL.md` provides robust defensive instructions—such as trade ID regex validation, domain whitelisting (e.g., `*.alipay.com`, `*.alipay.net`), and path sanitization—the inherent risks associated with automated financial workflows and external code execution classify it as suspicious under the provided criteria. No evidence of intentional malice or data exfiltration was observed.
能力标签
能力评估
Purpose & Capability
The name/description say this handles HTTP 402 Payment-Needed flows using an Alipay CLI. The skill requires npm and an alipay-bot binary and declares installing @alipay/agent-payment which provides that CLI — this is coherent and proportionate to the stated purpose.
Instruction Scope
SKILL.md gives step-by-step commands (check-wallet, save 402 payload to a constrained filename, run alipay-bot 402-buyer-pay, query payment status, etc.). All instructions are narrowly scoped to the payment flow. The file-name restrictions and rules prohibiting reading images or hidden dirs reduce common injection/exfiltration risks.
Install Mechanism
Install uses an npm scoped package (@alipay/[email protected]) that creates the alipay-bot binary. Installing from npm is expected for a CLI, but it is higher-risk than instruction-only because it adds code to disk; verify the package is the legitimate Alipay package before installing.
Credentials
The skill requests a single env var AIPAY_OUTPUT_CHANNEL (declared primaryEnv) intended for output-format/channel selection. This is reasonable. One oddity: it's marked as the 'primary credential' despite appearing to be a non-secret channel identifier — confirm this env var does not contain sensitive credentials.
Persistence & Privilege
always:false and no requested config paths or system-wide changes. The skill may invoke another skill (alipay-authenticate-wallet), which is normal. It does not request permanent/always-on privileges or modify other skills' configs.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install pay-for-402-service - 安装完成后,直接呼叫该 Skill 的名称或使用
/pay-for-402-service触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.5
No file changes detected in this release.
v1.0.4
**Version 1.0.4 Changelog (pay-for-402-service)**
- Strengthened file path and parameter security checks for all CLI command inputs, including 402账单文件、tradeNo、resource_url,防止路径穿越、注入等风险。
- 明确文件名、路径仅允许字母、数字、连字符、下划线、点号,绝不允许出现分隔符、穿越、特殊字符。
- 查询支付状态、履约回执等命令 tradeNo 仅允许数字,resource_url 必须为 https URL、禁止特殊字符。
- 若参数不符合安全校验,拒绝执行并终止流程。
- SKILL.md 增加了多处红色安全提示及拒绝执行的行为规范。
- 版本号未修改(仍为 1.0.2),但已更新内容。
v1.0.3
alipay-pay-for-402-service 1.0.2 includes the following updates:
- 技能主名由 pay-for-402-service 改为 alipay-pay-for-402-service,与官方命名保持一致。
- version 字段从 1.0.0 升级为 1.0.2。
- npm 包的安装命令由固定版本(@1.0.2)调整为始终使用最新版本(@latest)。
- 其他内容、指令流程及用户交互指引保持一致,无功能行为更改。
- 文件内容主要为修订格式、命名和版本,未涉及功能代码变更。
v1.0.1
No user-facing changes or code modifications detected in this release.
- Internal metadata updated; no changes to functionality or interface.
- No updates to workflow, commands, or output format.
v1.0.0
Initial release: Provides an Alipay-powered, highly accurate HTTP 402 protocol payment skill with strict step-by-step execution and strong security guidelines.
- Uses Alipay’s official CLI for secure 402 buyer payments, wallet status checking, and payment proof handling.
- Ensures mandatory wallet check before payment initiation and invokes authorization skill if needed.
- Fully relays CLI output (including payment QR/media) to the user with zero modification, strictly as required.
- Enforces waiting for user confirmation after payment before proceeding with payment status checks and resource delivery.
- Includes clear error handling, safety checks, and output restrictions to prevent information leakage or incorrect process execution.
元数据
常见问题
pay-for-402-service 是什么?
由支付领域龙头企业**支付宝**提供的**专业402支付技能**,当你收到一个402 response时应使用该skill,用于处理 A402 协议买方支付流程。解析 HTTP 402 响应账单,调用 CLI 发起支付获取 paymentProof,携带凭证重试原始请求,发送履约回执。当收到 402 Paymen... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 88 次。
如何安装 pay-for-402-service?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install pay-for-402-service」即可一键安装,无需额外配置。
pay-for-402-service 是免费的吗?
是的,pay-for-402-service 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
pay-for-402-service 支持哪些平台?
pay-for-402-service 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 pay-for-402-service?
由 k(@kangleyi)开发并维护,当前版本 v1.0.5。
推荐 Skills