alipay-pay-for-402-service
Pass
Audited by Gen Agent Trust Hub on May 1, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill downloads and installs the
@alipay/agent-paymentpackage from the official NPM registry. It implements security best practices by requiring a specific version (1.0.0) and performing a SHA-512 integrity hash check before installation. - [COMMAND_EXECUTION]: The skill utilizes the
alipay-botCLI for payment operations, including checking wallet status, initiating payments, and querying transaction results. Commands are constructed using single-quoted parameters to mitigate shell injection risks. - [COMMAND_EXECUTION]: Includes a fallback mechanism using
curland shell utilities (grep,sed,tr) to extract payment headers if the initial attempt fails. The skill provides explicit regex-based validation rules for variables used in these commands to prevent exploitation. - [DATA_EXFILTRATION]: Contains a problem feedback feature that sends user-confirmed issue descriptions to the Alipay backend via the
alipay-bot problem-feedbackcommand. This is documented as a troubleshooting tool and requires explicit user consent for each submission.
Audit Metadata