← Back to Skills Marketplace

API Merchant Fee

Name: API Merchant Fee
Author: sgfa005

by sgfa005 · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install api-merchant-fee

Description

商户费率查询 API。当用户提到查询商户费率、商户信息、贷记卡费率、借记卡费率、扫码费率、商户管理费，或需要查询某个商户的费率信息时触发。触发词包括：查询商户费率、商户费率、商户费率查询、merchant fee。

README (SKILL.md)

商户费率查询

请求参数

参数	含义	说明
agentNo	代理商号	32位字符串
apikey	API密钥	AES加密密钥（Base64编码）
userId	商户编号	32位字符串，必须为请求代理商直属或团队商户
tusn	SN编号	终端SN编号

认证信息管理

agentNo 和 apikey 会自动保存到本地文件（scripts/.auth.json），后续查询如不更换代理商可直接复用。

更换代理商时：提供新的 agentNo + apikey 即可。

使用方式

首次查询（或更换代理商）

提供完整的四个参数：

查询商户费率，代理商号 Ag21000030，apikey xxx，用户编号 BOSSPOS_230228172135uimbcv07，SN编号 00007302499999000232

同一代理商后续查询

只提供 userId 和 tusn：

查询商户 BOSSPOS_230228172135uimbcv07 的费率，SN编号 00007302499999000232

更换代理商

提供新的 agentNo + apikey：

查询商户费率，代理商号 Ag21000031，apikey yyy，用户编号 BOSSPOS_230228172135uimbcv07，SN编号 00007302499999000232

参数判断规则

用户提供 4 个参数（agentNo + apikey + userId + tusn）→ 直接使用，保存认证信息
用户只提供 2 个参数（userId + tusn）→ 读取本地保存的 agentNo + apikey
用户提供 3 个参数 → 询问是否缺少 agentNo/apikey
认证信息不存在且只提供 userId/tusn → 提示先提供 agentNo + apikey

执行流程

解析用户输入，判断是否提供完整参数
如缺少 agentNo/apikey，从 scripts/.auth.json 读取
调用 scripts/query_fee.py 执行 API 请求
解析响应结果并格式化输出

输出格式

查询成功

✅ 商户费率信息

**商户编号**：BOSSPOS_230228172135uimbcv07
**商户名称**：XXX 商户
**所属代理**：代理名称（编号）

━━ 费率详情 ━━
**贷记卡基础费率**：0.55%
**借记卡费率**：0.45%
**借记卡封顶手续费**：25元
**云闪付费率**：0.38%
**支付宝龙舟计划费率**：0.38%
**扫码费率**（微信/支付宝）：0.38%
**出款服务费**：1元
**商户管理费1**：0.1%
**商户管理费2**：0.05%

**绑定终端**：SN123456, SN654321

查询失败

❌ 查询失败

**返回码**：9999
**原因**：商户未配置费率

参数缺失

⚠️ 参数不完整

缺少以下必填参数：
- agentNo（代理商号）
- apikey（API密钥）

请提供完整信息后重试，格式示例：
查询商户费率，代理商号 XXX，apikey XXX，用户编号 XXX，SN编号 XXX

错误处理

网络错误：提示检查网络或 API 服务
认证失败（401/403）：提示检查 API Key 配置
业务失败（非0000）：显示具体错误码和原因
商户不属于该代理：提示用户检查商户编号是否正确

注意事项

永远不要在响应中暴露 API Key
费率单位：百分比格式（如 0.55%），封顶手续费单位为元

Usage Guidance

This skill appears to implement the stated merchant-fee lookup, but review the following before installing: - Origin/provenance: the skill source and owner are unknown. Prefer code from a trusted author or vendor. - Unused hard-coded credential: scripts/config.json contains a baseUrl (raw IP) and a Base64 API key. Either this is a leftover/test credential or a secret bundled in the package — remove or rotate it and confirm the correct endpoint before use. - Network endpoint: the script will POST encrypted data to a raw IP (47.111.144.23:8094). Verify that endpoint is legitimate for your organization; do not use if you cannot verify or trust it. - Dependencies: the script requires the Crypto/pycryptodome Python package but the skill metadata does not declare it. Ensure you install dependencies from trusted sources, and consider running the script in an isolated environment (container) if you must test it. - Local persistence of secrets: the script writes credentials to scripts/.auth.json in cleartext. If you proceed, store that file securely (restrict permissions) or modify the script to avoid persistent storage. If you cannot verify the endpoint and the included apiKey, treat this skill as untrusted. To be safer: ask the publisher for provenance, remove or replace scripts/config.json, run the script in a sandbox, and rotate any keys that were embedded or reused.

Capability Analysis

Type: OpenClaw Skill Name: api-merchant-fee Version: 1.0.0 The skill is designed to query merchant fee information but contains several significant security vulnerabilities. It stores sensitive API keys and agent IDs in a local plaintext file (`scripts/.auth.json`) for persistence, uses the insecure AES-ECB encryption mode in `scripts/query_fee.py`, and defaults to an unencrypted HTTP endpoint (`http://47.111.144.23:8094`) in `scripts/config.json`. While these appear to be unintentional design flaws rather than malicious intent, they pose a high risk of credential theft and data interception.

Capability Tags

cryptorequires-sensitive-credentials

Capability Assessment

ℹ Purpose & Capability

Name/description and the Python script both implement a merchant fee lookup (posting encrypted requests and decrypting responses), so functionality matches purpose. However scripts/config.json embeds a baseUrl and an API key (Base64) that are not referenced by the script or SKILL.md, creating an unexplained artifact.

✓ Instruction Scope

SKILL.md instructs parsing user parameters, reading/writing scripts/.auth.json, calling scripts/query_fee.py, and formatting output — which is exactly what the script does. The instructions do not ask for unrelated files or credentials beyond agentNo/apikey.

⚠ Install Mechanism

This is instruction-only (no install spec), but the bundled Python script imports Crypto (pycryptodome). No dependency or runtime requirement is declared in the skill metadata or SKILL.md, so the runtime may fail or an operator might be prompted to install packages from external sources. Also the skill makes network calls to a raw IP address rather than a documented public API hostname.

⚠ Credentials

No environment variables are requested (consistent), but the repository includes scripts/config.json that contains a baseUrl pointing to 47.111.144.23:8094 and an apparent Base64 API key. The script does not read config.json, so embedding a credential in the package is unnecessary and risky. The script persistently saves provided credentials to scripts/.auth.json (in cleartext) regardless of query success.

ℹ Persistence & Privilege

The skill persists agentNo/apikey to scripts/.auth.json for reuse — this is expected for convenience but creates a local secret file. The skill does not request elevated system privileges or modify other skills. always is false and autonomous invocation is allowed (platform default).

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install api-merchant-fee
After installation, invoke the skill by name or use /api-merchant-fee
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

api-merchant-fee v1.0.0 - Initial release of the 商户费率查询 (Merchant Fee Query) skill. - Supports querying merchant rates by parsing user input for required parameters (agentNo, apikey, userId, tusn). - Caches agentNo and apikey locally for convenient repeat queries. - Handles input validation and parameter completion with clear user prompts. - Formats successful, failed, or incomplete queries with easy-to-read templates. - Includes robust error handling for network, authentication, and business logic errors.

Metadata

Slug api-merchant-fee

Version 1.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is API Merchant Fee?

商户费率查询 API。当用户提到查询商户费率、商户信息、贷记卡费率、借记卡费率、扫码费率、商户管理费，或需要查询某个商户的费率信息时触发。触发词包括：查询商户费率、商户费率、商户费率查询、merchant fee。 It is an AI Agent Skill for Claude Code / OpenClaw, with 70 downloads so far.

How do I install API Merchant Fee?

Run "/install api-merchant-fee" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is API Merchant Fee free?

Yes, API Merchant Fee is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does API Merchant Fee support?

API Merchant Fee is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created API Merchant Fee?

It is built and maintained by sgfa005 (@sgfa005); the current version is v1.0.0.

More Skills