← 返回 Skills 市场
2050
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install mayar-payment
功能描述
Integrate Mayar.id payments to create invoices, generate payment links, track Indonesian payment methods, manage subscriptions, and automate payment workflows.
安全使用建议
What to consider before installing:
- Metadata mismatch: the skill does not declare that it needs an API token yet the instructions require you to store a Mayar API token and modify mcporter config; insist the publisher update metadata to list required credentials.
- Secret exposure risk: the guide shows placing the token in a credentials file and in command args (--header Authorization:YOUR_API_TOKEN_HERE). Passing secrets in command arguments can expose them via process lists and logs. Prefer using environment variables, a secrets store, or mcporter's supported secret mechanism if available.
- Runtime downloads: the mcporter config relies on npx mcp-remote which will fetch and run code from npm at runtime. Review and verify the mcp-remote package/maintainer before allowing it to run in production.
- Test in isolation: try this first with sandbox API keys and in a controlled/test environment. Verify webhook URLs and token handling before moving to production.
- Review config changes: the instructions modify config/mcporter.json — back up existing configs and confirm you are comfortable with persistent changes.
- Verify endpoints: confirm domains (mcp.mayar.id, api.mayar.id / api.mayar.club) are legitimate official endpoints for your organization.
If you need this integration, it's probably usable, but ask the publisher to fix metadata (declare required credential), and revise instructions to avoid inlining secrets into command args and to document safe secret handling. If you cannot verify package sources or are uncomfortable with config changes, do not enable it in a production environment.
功能分析
Type: OpenClaw Skill
Name: mayar-payment
Version: 1.0.0
The skill bundle is designed for Mayar.id payment integration, which is a legitimate purpose. However, it includes instructions for setup using `npx -y mcp-remote` in `SKILL.md`, which involves fetching and executing code from npm, posing a supply chain risk. Additionally, the `references/integration-examples.md` file contains JavaScript snippets that use `execSync` to run `mcporter` commands. While these actions are plausibly needed for the stated purpose of the skill, `npx` and `execSync` are powerful shell execution capabilities that, without clear malicious intent, elevate the classification to suspicious due to the inherent risks of executing external code and shell commands.
能力评估
Purpose & Capability
The files and SKILL.md describe a Mayar payment integration (create invoices, links, track transactions) which is coherent with the skill name. However, the skill metadata declares no required credentials or config, while the instructions require a Mayar API token and edits to mcporter config. The missing declaration of required secrets in metadata is an inconsistency.
Instruction Scope
The SKILL.md explicitly instructs the user/agent to create ~/.config/mayar/credentials, set a MAYAR_API_TOKEN, and to add an mcporter entry that includes the Authorization header containing the API token. It also instructs running mcporter commands (mcporter call ...) and editing config/mcporter.json. These file writes and token-placement instructions go beyond read-only docs and have direct effects on user config and secrets; while needed for the stated purpose, they expose the token in config/command arguments and alter local configuration.
Install Mechanism
There is no install spec in the registry (instruction-only skill). The MCP config example uses 'npx mcp-remote' (npx will fetch/execute an npm package at runtime). That means code will be downloaded/ executed via npm when mcporter is used — a legitimate pattern for remote connectors but it carries the runtime risk of installing third-party code. The skill itself doesn't provide an audited install artifact or pinned release.
Credentials
The integration clearly requires a Mayar API token, but the skill lists no required env vars/primary credential. The instructions put the token into ~/.config/mayar/credentials and inline the token in mcporter's args/header. Inlining a secret into command args can expose it via process listings and in shared config files; the skill should have declared the credential and advised safer handling (e.g., environment variables, process-isolated secrets, or mcporter-native secret storage).
Persistence & Privilege
always:false and model invocation is allowed (normal). The runtime steps instruct modifying user configuration files (creating ~/.config/mayar/credentials and editing config/mcporter.json) which creates persistent local state. This is plausible for a connector, but users should be aware these are persistent changes to their environment.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install mayar-payment - 安装完成后,直接呼叫该 Skill 的名称或使用
/mayar-payment触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release
元数据
常见问题
Mayar Payment Integration 是什么?
Integrate Mayar.id payments to create invoices, generate payment links, track Indonesian payment methods, manage subscriptions, and automate payment workflows. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 2050 次。
如何安装 Mayar Payment Integration?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install mayar-payment」即可一键安装,无需额外配置。
Mayar Payment Integration 是免费的吗?
是的,Mayar Payment Integration 完全免费(开源免费),可自由下载、安装和使用。
Mayar Payment Integration 支持哪些平台?
Mayar Payment Integration 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Mayar Payment Integration?
由 ahsanatha(@ahsanatha)开发并维护,当前版本 v1.0.0。
推荐 Skills