alipay-pay-for-402-service

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly requires the model to verbatim relay CLI outputs (including one‑time payment URLs, paymentProofs and other signed tokens extracted from the Payment-Needed header) and to embed those values in subsequent commands, which forces the LLM to handle and output sensitive tokens/credentials directly, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly requires ingesting the HTTP 402 "Payment-Needed" header from arbitrary resource responses (Step 1) and parsing/acting on alipay-bot CLI output (Step 2) — including extracting shortUrl, resource_url and tradeNo — which are untrusted third-party inputs that directly determine subsequent commands and tool use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill installs and executes an external npm package at runtime—@alipay/agent-payment@1.0.0 (see https://www.npmjs.com/package/@alipay/agent-payment), which fetches remote code and runs the install-cli/alipay-bot CLI, so this external content is required and executes code during skill operation.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). This skill explicitly implements payment operations using an Alipay-provided CLI and npm package (@alipay/agent-payment). It defines commands that initiate payments (alipay-bot 402-buyer-pay), query payment status (402-query-payment-status), check wallet and perform fulfillment acknowledgements (check-wallet, 402-buyer-fulfillment-ack), and requires installing and invoking a payment-specific client. These are direct payment gateway actions intended to move funds and obtain paymentProof, so it grants Direct Financial Execution authority.