ClawHub

Merso Integration

v1.0.5

Integrate Merso PNPL (Play Now, Pay Later) payments into games or digital goods platforms. Use when a user wants to: (1) add Merso installment payments to a...

0· 110·0 current·0 all-time
byAlfredo Bárcena@dreadterror
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Merso PNPL integration) match the declared requirements (MERSO_ENV, MERSO_GAME_ID, MERSO_API_KEY) and the included reference docs describe API endpoints, webhooks, DB schema and integration flow that a merchant would need.
Instruction Scope
SKILL.md and references provide concrete integration steps (auth, token caching, POST /merso-buy-item, webhook setup/verification, fallback verify endpoint) which are appropriate. Note: it advises caching/auto-renewing tokens and gives a webhook verification example using MERSO_API_KEY as an HMAC secret — valid but implementers should securely store tokens and confirm the actual webhook signing scheme with Merso before trusting production traffic.
Install Mechanism
Instruction-only skill with no install spec and no code files — minimal surface area and nothing is written to disk by the skill itself.
Credentials
Only three environment variables are required and they are directly relevant to a payment integration: environment, game ID, and API key. No unrelated credentials or broad system config are requested.
Persistence & Privilege
Skill is not always-enabled, is user-invocable, and has no install/runtime components that request persistent system-level privileges or modify other skills' configurations.
Assessment
This is a coherent integration guide for Merso and does not request unrelated access. Before installing or using it: (1) treat MERSO_API_KEY as a sensitive secret — never expose it to client-side code and store tokens securely; (2) confirm with Merso the exact webhook signing header and secret (the doc uses MERSO_API_KEY as an example HMAC key — verify this); (3) restrict webhook endpoints (HTTPS, IP allowlist if no signature) and implement idempotent handlers as instructed; (4) test fully in the development base URL (api2.dev.merso.io) before production; (5) be aware the commercial docs make product claims (zero KYC, license expiry model) that you should validate with legal/compliance for your region. The skill is instruction-only, so it itself will not install code or fetch remote binaries.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fhnk84w2ek4at35qv1n74mx83jf9h

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvMERSO_GAME_ID, MERSO_API_KEY, MERSO_ENV

Comments