← 返回 Skills 市场
sgfa005

API Merchant Fee

作者 sgfa005 · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
70
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install api-merchant-fee
功能描述
商户费率查询 API。当用户提到查询商户费率、商户信息、贷记卡费率、借记卡费率、扫码费率、商户管理费,或需要查询某个商户的费率信息时触发。触发词包括:查询商户费率、商户费率、商户费率查询、merchant fee。
使用说明 (SKILL.md)

商户费率查询

请求参数

参数 含义 说明
agentNo 代理商号 32位字符串
apikey API密钥 AES加密密钥(Base64编码)
userId 商户编号 32位字符串,必须为请求代理商直属或团队商户
tusn SN编号 终端SN编号

认证信息管理

agentNo 和 apikey 会自动保存到本地文件(scripts/.auth.json),后续查询如不更换代理商可直接复用。

更换代理商时:提供新的 agentNo + apikey 即可。

使用方式

首次查询(或更换代理商)

提供完整的四个参数:

查询商户费率,代理商号 Ag21000030,apikey xxx,用户编号 BOSSPOS_230228172135uimbcv07,SN编号 00007302499999000232

同一代理商后续查询

只提供 userId 和 tusn:

查询商户 BOSSPOS_230228172135uimbcv07 的费率,SN编号 00007302499999000232

更换代理商

提供新的 agentNo + apikey:

查询商户费率,代理商号 Ag21000031,apikey yyy,用户编号 BOSSPOS_230228172135uimbcv07,SN编号 00007302499999000232

参数判断规则

  1. 用户提供 4 个参数(agentNo + apikey + userId + tusn)→ 直接使用,保存认证信息
  2. 用户只提供 2 个参数(userId + tusn)→ 读取本地保存的 agentNo + apikey
  3. 用户提供 3 个参数 → 询问是否缺少 agentNo/apikey
  4. 认证信息不存在且只提供 userId/tusn → 提示先提供 agentNo + apikey

执行流程

  1. 解析用户输入,判断是否提供完整参数
  2. 如缺少 agentNo/apikey,从 scripts/.auth.json 读取
  3. 调用 scripts/query_fee.py 执行 API 请求
  4. 解析响应结果并格式化输出

输出格式

查询成功

✅ 商户费率信息

**商户编号**:BOSSPOS_230228172135uimbcv07
**商户名称**:XXX 商户
**所属代理**:代理名称(编号)

━━ 费率详情 ━━
**贷记卡基础费率**:0.55%
**借记卡费率**:0.45%
**借记卡封顶手续费**:25元
**云闪付费率**:0.38%
**支付宝龙舟计划费率**:0.38%
**扫码费率**(微信/支付宝):0.38%
**出款服务费**:1元
**商户管理费1**:0.1%
**商户管理费2**:0.05%

**绑定终端**:SN123456, SN654321

查询失败

❌ 查询失败

**返回码**:9999
**原因**:商户未配置费率

参数缺失

⚠️ 参数不完整

缺少以下必填参数:
- agentNo(代理商号)
- apikey(API密钥)

请提供完整信息后重试,格式示例:
查询商户费率,代理商号 XXX,apikey XXX,用户编号 XXX,SN编号 XXX

错误处理

  • 网络错误:提示检查网络或 API 服务
  • 认证失败(401/403):提示检查 API Key 配置
  • 业务失败(非0000):显示具体错误码和原因
  • 商户不属于该代理:提示用户检查商户编号是否正确

注意事项

  • 永远不要在响应中暴露 API Key
  • 费率单位:百分比格式(如 0.55%),封顶手续费单位为元
安全使用建议
This skill appears to implement the stated merchant-fee lookup, but review the following before installing: - Origin/provenance: the skill source and owner are unknown. Prefer code from a trusted author or vendor. - Unused hard-coded credential: scripts/config.json contains a baseUrl (raw IP) and a Base64 API key. Either this is a leftover/test credential or a secret bundled in the package — remove or rotate it and confirm the correct endpoint before use. - Network endpoint: the script will POST encrypted data to a raw IP (47.111.144.23:8094). Verify that endpoint is legitimate for your organization; do not use if you cannot verify or trust it. - Dependencies: the script requires the Crypto/pycryptodome Python package but the skill metadata does not declare it. Ensure you install dependencies from trusted sources, and consider running the script in an isolated environment (container) if you must test it. - Local persistence of secrets: the script writes credentials to scripts/.auth.json in cleartext. If you proceed, store that file securely (restrict permissions) or modify the script to avoid persistent storage. If you cannot verify the endpoint and the included apiKey, treat this skill as untrusted. To be safer: ask the publisher for provenance, remove or replace scripts/config.json, run the script in a sandbox, and rotate any keys that were embedded or reused.
功能分析
Type: OpenClaw Skill Name: api-merchant-fee Version: 1.0.0 The skill is designed to query merchant fee information but contains several significant security vulnerabilities. It stores sensitive API keys and agent IDs in a local plaintext file (`scripts/.auth.json`) for persistence, uses the insecure AES-ECB encryption mode in `scripts/query_fee.py`, and defaults to an unencrypted HTTP endpoint (`http://47.111.144.23:8094`) in `scripts/config.json`. While these appear to be unintentional design flaws rather than malicious intent, they pose a high risk of credential theft and data interception.
能力标签
cryptorequires-sensitive-credentials
能力评估
Purpose & Capability
Name/description and the Python script both implement a merchant fee lookup (posting encrypted requests and decrypting responses), so functionality matches purpose. However scripts/config.json embeds a baseUrl and an API key (Base64) that are not referenced by the script or SKILL.md, creating an unexplained artifact.
Instruction Scope
SKILL.md instructs parsing user parameters, reading/writing scripts/.auth.json, calling scripts/query_fee.py, and formatting output — which is exactly what the script does. The instructions do not ask for unrelated files or credentials beyond agentNo/apikey.
Install Mechanism
This is instruction-only (no install spec), but the bundled Python script imports Crypto (pycryptodome). No dependency or runtime requirement is declared in the skill metadata or SKILL.md, so the runtime may fail or an operator might be prompted to install packages from external sources. Also the skill makes network calls to a raw IP address rather than a documented public API hostname.
Credentials
No environment variables are requested (consistent), but the repository includes scripts/config.json that contains a baseUrl pointing to 47.111.144.23:8094 and an apparent Base64 API key. The script does not read config.json, so embedding a credential in the package is unnecessary and risky. The script persistently saves provided credentials to scripts/.auth.json (in cleartext) regardless of query success.
Persistence & Privilege
The skill persists agentNo/apikey to scripts/.auth.json for reuse — this is expected for convenience but creates a local secret file. The skill does not request elevated system privileges or modify other skills. always is false and autonomous invocation is allowed (platform default).
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install api-merchant-fee
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /api-merchant-fee 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
api-merchant-fee v1.0.0 - Initial release of the 商户费率查询 (Merchant Fee Query) skill. - Supports querying merchant rates by parsing user input for required parameters (agentNo, apikey, userId, tusn). - Caches agentNo and apikey locally for convenient repeat queries. - Handles input validation and parameter completion with clear user prompts. - Formats successful, failed, or incomplete queries with easy-to-read templates. - Includes robust error handling for network, authentication, and business logic errors.
元数据
Slug api-merchant-fee
版本 1.0.0
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 1
常见问题

API Merchant Fee 是什么?

商户费率查询 API。当用户提到查询商户费率、商户信息、贷记卡费率、借记卡费率、扫码费率、商户管理费,或需要查询某个商户的费率信息时触发。触发词包括:查询商户费率、商户费率、商户费率查询、merchant fee。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 70 次。

如何安装 API Merchant Fee?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install api-merchant-fee」即可一键安装,无需额外配置。

API Merchant Fee 是免费的吗?

是的,API Merchant Fee 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

API Merchant Fee 支持哪些平台?

API Merchant Fee 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 API Merchant Fee?

由 sgfa005(@sgfa005)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论