pop-pay 安全扫描报告 — 可信 | ClawSafe

5 /100

pop-pay

Payment guardrail for AI agents — injects card via CDP, never exposes it to the agent context. Semantic spend policy + prompt-injection resistance.

This is a documentation-only skill (SKILL.md + LICENSE + metadata). No executable code, scripts, or dependencies are present. The security design described is thoughtful and explicitly addresses prompt injection resistance and card isolation.

技能名称pop-pay

分析耗时33.2s

引擎pi

✓

可以安装

No immediate risk. The skill describes a well-architected payment guardrail with CDP-based card injection that never exposes card numbers to the agent context. However, actual implementation code should be audited before production use.

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No filesystem access described or implemented
网络访问	`NONE`	`NONE`	—	No network calls described in SKILL.md; webhook is user-supplied
命令执行	`NONE`	`NONE`	—	No shell execution in skill definition
环境变量	`NONE`	`NONE`	—	Environment vars are user-configured policy settings, not credential access
技能调用	`NONE`	`NONE`	—	No cross-skill invocation described
剪贴板	`NONE`	`NONE`	—	No clipboard access described
浏览器	`NONE`	`NONE`	—	CDP injection is described but handled by an external 'pop-pay' binary, not the …
数据库	`NONE`	`NONE`	—	No database access described or implemented

4 项发现

🔗

中危外部 URL 外部 URL

https://hooks.slack.com/your-hook-here

SKILL.md:54

🔗

中危外部 URL 外部 URL

https://hooks.slack.com/...

SKILL.md:165

🔗

中危外部 URL 外部 URL

https://www.amazon.com/checkout/payment

SKILL.md:177

🔗

中危外部 URL 外部 URL

https://www.amazon.com/checkout/address

SKILL.md:183

目录结构

3 文件 · 7.5 KB · 229 行

Markdown 1f · 202L Text 1f · 21L JSON 1f · 6L

├─ 📋 _meta.json JSON 6L · 112 B

├─ 📄 LICENSE.txt Text 21L · 1.1 KB

└─ 📝 SKILL.md Markdown 202L · 6.3 KB

安全亮点

✓ Security model explicitly states card number is never placed in the agent's context window

✓ CDP injection runs in a separate process — a prompt injection attack cannot steal the card

✓ Semantic guardrail evaluates SHOULD vs CAN, not just budget availability

✓ Prompt injection scan (page_snapshot) runs before any payment operation

✓ No credential harvesting or environment variable iteration observed

✓ No base64, eval, or obfuscated code patterns

✓ No remote script execution (curl|bash, wget|sh)

✓ No sensitive path access (~/.ssh, ~/.aws, .env)

✓ Open source under MIT license with auditable GitHub repository

✓ Clear documentation with no hidden functionality or shadow features