← 返回 Skills 市场
godsboy

Mercury Bank

作者 Dewaldt Huysamen · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
228
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install mercury-bank
功能描述
Mercury bank API for Digital 4 Jesus LLC (US entity). Use when the user asks about Mercury account balances, transactions, invoices, customers, or sending mo...
安全使用建议
This skill appears to be a genuine Mercury API helper, but it expects a banking API token stored in ~/.secrets/mercury.env even though the registry doesn't declare that requirement. Before installing: (1) verify the skill's source and trustworthiness; (2) inspect scripts/mercury.sh yourself (it is included) and confirm it only calls Mercury endpoints; (3) do not place high-privilege API tokens in a file until you confirm where and how the agent will access them — prefer a token with minimal permissions or a read-only scope if possible; (4) be cautious because the script can create invoices and send money — if you proceed, restrict the token's capabilities and audit actions/logs on the Mercury side. If you cannot verify the publisher or correct the declared requirements, treat this skill as untrusted.
功能分析
Type: OpenClaw Skill Name: mercury-bank Version: 1.0.0 The skill contains a critical command injection vulnerability in `scripts/mercury.sh`. Specifically, the `create-invoice` command interpolates shell variables (such as `$MEMO` and `$INV_NUM`) directly into a Python script string executed via `python3 -c`, allowing for arbitrary code execution if malicious input is provided. While this represents a significant security risk (RCE), there is no clear evidence of intentional malice, data exfiltration to third-party domains, or unauthorized persistence, as the script's logic is otherwise aligned with its stated purpose of managing Mercury bank accounts.
能力评估
Purpose & Capability
Name/description and the included script align with a Mercury banking helper (balances, transactions, invoices, customers, sending money). However the registry metadata claims no required credentials or env vars while SKILL.md and the script explicitly require a MERCURY_API_TOKEN stored in ~/.secrets/mercury.env. That mismatch is unexpected and should be corrected.
Instruction Scope
SKILL.md instructs the agent to run the included shell script (absolute path shown) and to read credentials from ~/.secrets/mercury.env. All runtime actions in the script are limited to Mercury API endpoints (GET/POST) and local file reads. The instructions do not attempt to contact any unexpected external endpoints, but they do direct the agent to read a local secrets file and to perform state-changing operations (create invoices, send money) which are sensitive and must be authorized.
Install Mechanism
No install spec or remote downloads; the skill is instruction-only with a bundled script. Nothing is fetched from third‑party URLs and no archives are extracted.
Credentials
The script requires an API token (MERCURY_API_TOKEN) and other config values in ~/.secrets/mercury.env, but the registry lists no required env vars or primary credential. Requesting a banking API token is appropriate for a banking skill, but it should have been declared explicitly. The skill also hardcodes organization/account/customer IDs in files — these are sensitive and may not be suitable to bundle publicly.
Persistence & Privilege
The skill is not always-enabled, does not request elevated persistence, and does not modify other skills or system configs. It only runs the included script on invocation.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install mercury-bank
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /mercury-bank 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Full Mercury bank API: account balances, transactions, AR invoices, AR customers, recipients, org details. MIT licensed. Requires Mercury Plus for invoicing endpoints. Includes mercury.sh CLI helper and full API reference.
元数据
Slug mercury-bank
版本 1.0.0
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 1
常见问题

Mercury Bank 是什么?

Mercury bank API for Digital 4 Jesus LLC (US entity). Use when the user asks about Mercury account balances, transactions, invoices, customers, or sending mo... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 228 次。

如何安装 Mercury Bank?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install mercury-bank」即可一键安装,无需额外配置。

Mercury Bank 是免费的吗?

是的,Mercury Bank 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Mercury Bank 支持哪些平台?

Mercury Bank 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Mercury Bank?

由 Dewaldt Huysamen(@godsboy)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 留言讨论