wechatpay-payment-integration

Pass

Audited by Gen Agent Trust Hub on Jul 6, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill manages a local knowledge base using a Python script (wechatpay-docs-sync.py) that synchronizes documentation by downloading a ZIP archive from https://wx.gtimg.com/resource/wechatpay_api/wechatpay-docs.zip. This domain is an official resource host for Tencent services.
  • [COMMAND_EXECUTION]: For the 'APIv3 Dynamic Troubleshooting' capability, the agent is instructed to execute shell commands using the wechatpay-dev-cli utility. This allows the agent to interact with payment APIs for diagnostic purposes (listing endpoints, building payloads, and performing queries).
  • [EXTERNAL_DOWNLOADS]: The instructions recommend the installation of the @tenpay/wechatpay-dev-cli package from the public NPM registry. This package is an official tool provided by the payment platform vendor.
  • [SAFE]: The skill implements a secure 'Local Signing' workflow. Instead of requesting sensitive API certificates or private keys, it provides the user with helper scripts (extract_and_sign.sh and extract_and_sign.ps1) to run on their own hardware. The agent only processes the final signature result, ensuring that private keys and P12 passwords remain strictly on the user's local system.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 6, 2026, 07:25 AM
Security Audit — agent-trust-hub — wechatpay-payment-integration