← Back to Skills Marketplace

Mercado Libre MCP Server

Name: Mercado Libre MCP Server
Author: marcosnahuel

by MarcosNahuel · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

124

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install mercadolibre-mcp

Description

Complete MCP server for Mercado Libre seller operations — products, orders, pricing, stock, questions, ads, reputation, competitor analysis

Usage Guidance

This package appears to implement the Mercado Libre MCP features it claims, but take precautions before installing or running it with real credentials: - The code will perform OAuth refreshes and, if Mercado Libre returns a new refresh_token, the server will set process.env.ML_REFRESH_TOKEN and print the first ~20 characters of the new refresh token to stderr. That log can expose part of your credential to logs/monitoring systems. Consider removing or redacting that console.error line before running, or ensure logs are not stored in an untrusted place. - If you don't need auto-refresh, prefer supplying ML_ACCESS_TOKEN (short-lived) managed by your own scheduler (n8n/cron) instead of giving client_secret + refresh_token to this process. - Run the server in an isolated environment/container, not on a host with other sensitive workloads or shared logging, and rotate credentials after first use if you test it. - Review dependencies (npm modules) and run npm audit / vet the @modelcontextprotocol/sdk package versions you will install. - Check that the ML_CLIENT_ID/ML_CLIENT_SECRET you provide have minimal scopes required for the operations you need. If you want, I can point to the exact lines to change (remove/redact the refresh token log) and show a small patch to avoid printing tokens to stderr.

Capability Analysis

Package: (mcp) Version: Description: Complete MCP server for Mercado Libre seller operations — 11 tools for products, orders, pricing, stock, questions, ads, reputation, and competitor analysis The package is a legitimate Model Context Protocol (MCP) server for interacting with the Mercado Libre API. It provides tools for managing products, orders, pricing, stock, and customer questions. The code uses standard OAuth2 authentication to communicate with the official Mercado Libre endpoints and does not contain any malicious logic, unauthorized data exfiltration, or unexpected binary execution.

Capability Assessment

✓ Purpose & Capability

Name, description, tools, required binaries (node) and npm dependencies (@modelcontextprotocol/sdk, zod) align with a MCP server for Mercado Libre. The requested env vars (ML_CLIENT_ID, ML_CLIENT_SECRET, ML_REFRESH_TOKEN) are expected for OAuth auto-refresh mode.

ℹ Instruction Scope

SKILL.md and README instruct only to set ML credentials and run the server; runtime instructions call only Mercado Libre APIs. However, auth.ts logs a portion of any newly returned refresh_token to stderr and writes the new refresh_token into process.env — these actions broaden what runtime output may contain and can leak secrets into logs.

✓ Install Mechanism

There is no external download/install-from-URL; this is an instruction/code-only package with dependencies declared in package.json. Dependencies come from npm (typical). No suspicious install URLs or archive extraction were found.

⚠ Credentials

Requested env vars (ML_CLIENT_ID, ML_CLIENT_SECRET, ML_REFRESH_TOKEN) are appropriate for auto-refresh, but SKILL.md also documents an alternative ML_ACCESS_TOKEN mode that is not declared as an optional required env in the registry metadata. More importantly, the code prints the new refresh token (first 20 chars) to stderr when ML returns an updated refresh_token, which can leak sensitive credentials into logs/monitoring systems.

✓ Persistence & Privilege

always: false and normal autonomous invocation are set. The skill registers tools and runs as a stdio MCP server; it does not modify other skills or system-wide configuration. Updating process.env at runtime is local to the process and not itself a persistence escalation, but combined with stderr logging it poses an information-leak risk.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install mercadolibre-mcp
After installation, invoke the skill by name or use /mercadolibre-mcp
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

First complete MCP server for Mercado Libre. 11 tools for seller operations: products, orders, pricing, stock, questions, ads, metrics, reputation, competitors, categories.

Metadata

Slug mercadolibre-mcp

Version 1.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is Mercado Libre MCP Server?

Complete MCP server for Mercado Libre seller operations — products, orders, pricing, stock, questions, ads, reputation, competitor analysis. It is an AI Agent Skill for Claude Code / OpenClaw, with 124 downloads so far.

How do I install Mercado Libre MCP Server?

Run "/install mercadolibre-mcp" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Mercado Libre MCP Server free?

Yes, Mercado Libre MCP Server is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Mercado Libre MCP Server support?

Mercado Libre MCP Server is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Mercado Libre MCP Server?

It is built and maintained by MarcosNahuel (@marcosnahuel); the current version is v1.0.0.

More Skills