alipay-pay-for-service

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). Yes — the skill explicitly requires copying and outputting signed one-time payment URLs (and inserting session IDs into commands) verbatim, which are secret-like tokens that must not be exposed via the LLM output.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly consumes user-/merchant-provided public cashier URLs (e.g., triggers on "cashier*.alipay.com" per SKILL.md header and Step 2) and runs CLI commands that parse and act on the returned CLI/URL content (extracting shortUrl, MEDIA, and deciding next tool calls), so untrusted third‑party content from those public links can materially influence tool use and workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill includes runtime installation/execution of the npm package @alipay/agent-payment (npm install / npx), which fetches and runs remote code from the npm registry (https://registry.npmjs.org/ and https://www.npmjs.com/package/@alipay/agent-payment) and is a required dependency for the skill.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). This skill is explicitly a payment-processing integration for Alipay. It requires installing the official @alipay/agent-payment package and defines concrete CLI commands that perform payment actions: alipay-bot payment-intent (init payment session), alipay-bot check-wallet (wallet/authorization check), alipay-bot submit-payment --payment-link '<收银台链接>' (submit a payment), and alipay-bot query-payment-status -p "" (query payment status). The primary and explicit purpose of the skill is to execute and manage Alipay payment flows (including submitting transactions and handling one-time signed payment URLs). That matches the “Payment Gateways / Send Transaction” criteria for Direct Financial Execution.