← 返回 Skills 市场
Mercado Libre MCP Server
作者
MarcosNahuel
· GitHub ↗
· v1.0.0
· MIT-0
124
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install mercadolibre-mcp
功能描述
Complete MCP server for Mercado Libre seller operations — products, orders, pricing, stock, questions, ads, reputation, competitor analysis
安全使用建议
This package appears to implement the Mercado Libre MCP features it claims, but take precautions before installing or running it with real credentials:
- The code will perform OAuth refreshes and, if Mercado Libre returns a new refresh_token, the server will set process.env.ML_REFRESH_TOKEN and print the first ~20 characters of the new refresh token to stderr. That log can expose part of your credential to logs/monitoring systems. Consider removing or redacting that console.error line before running, or ensure logs are not stored in an untrusted place.
- If you don't need auto-refresh, prefer supplying ML_ACCESS_TOKEN (short-lived) managed by your own scheduler (n8n/cron) instead of giving client_secret + refresh_token to this process.
- Run the server in an isolated environment/container, not on a host with other sensitive workloads or shared logging, and rotate credentials after first use if you test it.
- Review dependencies (npm modules) and run npm audit / vet the @modelcontextprotocol/sdk package versions you will install.
- Check that the ML_CLIENT_ID/ML_CLIENT_SECRET you provide have minimal scopes required for the operations you need.
If you want, I can point to the exact lines to change (remove/redact the refresh token log) and show a small patch to avoid printing tokens to stderr.
功能分析
Package: (mcp)
Version:
Description: Complete MCP server for Mercado Libre seller operations — 11 tools for products, orders, pricing, stock, questions, ads, reputation, and competitor analysis
The package is a legitimate Model Context Protocol (MCP) server for interacting with the Mercado Libre API. It provides tools for managing products, orders, pricing, stock, and customer questions. The code uses standard OAuth2 authentication to communicate with the official Mercado Libre endpoints and does not contain any malicious logic, unauthorized data exfiltration, or unexpected binary execution.
能力评估
Purpose & Capability
Name, description, tools, required binaries (node) and npm dependencies (@modelcontextprotocol/sdk, zod) align with a MCP server for Mercado Libre. The requested env vars (ML_CLIENT_ID, ML_CLIENT_SECRET, ML_REFRESH_TOKEN) are expected for OAuth auto-refresh mode.
Instruction Scope
SKILL.md and README instruct only to set ML credentials and run the server; runtime instructions call only Mercado Libre APIs. However, auth.ts logs a portion of any newly returned refresh_token to stderr and writes the new refresh_token into process.env — these actions broaden what runtime output may contain and can leak secrets into logs.
Install Mechanism
There is no external download/install-from-URL; this is an instruction/code-only package with dependencies declared in package.json. Dependencies come from npm (typical). No suspicious install URLs or archive extraction were found.
Credentials
Requested env vars (ML_CLIENT_ID, ML_CLIENT_SECRET, ML_REFRESH_TOKEN) are appropriate for auto-refresh, but SKILL.md also documents an alternative ML_ACCESS_TOKEN mode that is not declared as an optional required env in the registry metadata. More importantly, the code prints the new refresh token (first 20 chars) to stderr when ML returns an updated refresh_token, which can leak sensitive credentials into logs/monitoring systems.
Persistence & Privilege
always: false and normal autonomous invocation are set. The skill registers tools and runs as a stdio MCP server; it does not modify other skills or system-wide configuration. Updating process.env at runtime is local to the process and not itself a persistence escalation, but combined with stderr logging it poses an information-leak risk.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install mercadolibre-mcp - 安装完成后,直接呼叫该 Skill 的名称或使用
/mercadolibre-mcp触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
First complete MCP server for Mercado Libre. 11 tools for seller operations: products, orders, pricing, stock, questions, ads, metrics, reputation, competitors, categories.
元数据
常见问题
Mercado Libre MCP Server 是什么?
Complete MCP server for Mercado Libre seller operations — products, orders, pricing, stock, questions, ads, reputation, competitor analysis. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 124 次。
如何安装 Mercado Libre MCP Server?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install mercadolibre-mcp」即可一键安装,无需额外配置。
Mercado Libre MCP Server 是免费的吗?
是的,Mercado Libre MCP Server 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Mercado Libre MCP Server 支持哪些平台?
Mercado Libre MCP Server 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Mercado Libre MCP Server?
由 MarcosNahuel(@marcosnahuel)开发并维护,当前版本 v1.0.0。
推荐 Skills