API Merchant Fee

v1.0.0

商户费率查询 API。当用户提到查询商户费率、商户信息、贷记卡费率、借记卡费率、扫码费率、商户管理费，或需要查询某个商户的费率信息时触发。触发词包括：查询商户费率、商户费率、商户费率查询、merchant fee。

⭐ 0· 63·0 current·0 all-time

by@sgfa005

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for sgfa005/api-merchant-fee.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "API Merchant Fee" (sgfa005/api-merchant-fee) from ClawHub.
Skill page: https://clawhub.ai/sgfa005/api-merchant-fee
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install api-merchant-fee

ClawHub CLI

Package manager switcher

npx clawhub@latest install api-merchant-fee

Security Scan

Capability signals

CryptoRequires sensitive credentials

These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

Name/description and the Python script both implement a merchant fee lookup (posting encrypted requests and decrypting responses), so functionality matches purpose. However scripts/config.json embeds a baseUrl and an API key (Base64) that are not referenced by the script or SKILL.md, creating an unexplained artifact.

✓

Instruction Scope

SKILL.md instructs parsing user parameters, reading/writing scripts/.auth.json, calling scripts/query_fee.py, and formatting output — which is exactly what the script does. The instructions do not ask for unrelated files or credentials beyond agentNo/apikey.

Install Mechanism

This is instruction-only (no install spec), but the bundled Python script imports Crypto (pycryptodome). No dependency or runtime requirement is declared in the skill metadata or SKILL.md, so the runtime may fail or an operator might be prompted to install packages from external sources. Also the skill makes network calls to a raw IP address rather than a documented public API hostname.

Credentials

No environment variables are requested (consistent), but the repository includes scripts/config.json that contains a baseUrl pointing to 47.111.144.23:8094 and an apparent Base64 API key. The script does not read config.json, so embedding a credential in the package is unnecessary and risky. The script persistently saves provided credentials to scripts/.auth.json (in cleartext) regardless of query success.

ℹ

Persistence & Privilege

The skill persists agentNo/apikey to scripts/.auth.json for reuse — this is expected for convenience but creates a local secret file. The skill does not request elevated system privileges or modify other skills. always is false and autonomous invocation is allowed (platform default).

What to consider before installing

This skill appears to implement the stated merchant-fee lookup, but review the following before installing: - Origin/provenance: the skill source and owner are unknown. Prefer code from a trusted author or vendor. - Unused hard-coded credential: scripts/config.json contains a baseUrl (raw IP) and a Base64 API key. Either this is a leftover/test credential or a secret bundled in the package — remove or rotate it and confirm the correct endpoint before use. - Network endpoint: the script will POST encrypted data to a raw IP (47.111.144.23:8094). Verify that endpoint is legitimate for your organization; do not use if you cannot verify or trust it. - Dependencies: the script requires the Crypto/pycryptodome Python package but the skill metadata does not declare it. Ensure you install dependencies from trusted sources, and consider running the script in an isolated environment (container) if you must test it. - Local persistence of secrets: the script writes credentials to scripts/.auth.json in cleartext. If you proceed, store that file securely (restrict permissions) or modify the script to avoid persistent storage. If you cannot verify the endpoint and the included apiKey, treat this skill as untrusted. To be safer: ask the publisher for provenance, remove or replace scripts/config.json, run the script in a sandbox, and rotate any keys that were embedded or reused.

scripts/config.json:3

Install source points to URL shortener or raw IP.

About static analysis

These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

apivk97e6wkac6z8jtd2ett7f8vxg584yesbfinancevk97e6wkac6z8jtd2ett7f8vxg584yesblatestvk97e6wkac6z8jtd2ett7f8vxg584yesb

63downloads

0stars

1versions

Updated 1w ago

v1.0.0

MIT-0

商户费率查询

请求参数

参数	含义	说明
agentNo	代理商号	32位字符串
apikey	API密钥	AES加密密钥（Base64编码）
userId	商户编号	32位字符串，必须为请求代理商直属或团队商户
tusn	SN编号	终端SN编号

认证信息管理

agentNo 和 apikey 会自动保存到本地文件（scripts/.auth.json），后续查询如不更换代理商可直接复用。

更换代理商时：提供新的 agentNo + apikey 即可。

使用方式

首次查询（或更换代理商）

提供完整的四个参数：

查询商户费率，代理商号 Ag21000030，apikey xxx，用户编号 BOSSPOS_230228172135uimbcv07，SN编号 00007302499999000232

同一代理商后续查询

只提供 userId 和 tusn：

查询商户 BOSSPOS_230228172135uimbcv07 的费率，SN编号 00007302499999000232

更换代理商

提供新的 agentNo + apikey：

查询商户费率，代理商号 Ag21000031，apikey yyy，用户编号 BOSSPOS_230228172135uimbcv07，SN编号 00007302499999000232

参数判断规则

用户提供 4 个参数（agentNo + apikey + userId + tusn）→ 直接使用，保存认证信息
用户只提供 2 个参数（userId + tusn）→ 读取本地保存的 agentNo + apikey
用户提供 3 个参数 → 询问是否缺少 agentNo/apikey
认证信息不存在且只提供 userId/tusn → 提示先提供 agentNo + apikey

执行流程

解析用户输入，判断是否提供完整参数
如缺少 agentNo/apikey，从 scripts/.auth.json 读取
调用 scripts/query_fee.py 执行 API 请求
解析响应结果并格式化输出

输出格式

查询成功

✅ 商户费率信息

**商户编号**：BOSSPOS_230228172135uimbcv07
**商户名称**：XXX 商户
**所属代理**：代理名称（编号）

━━ 费率详情 ━━
**贷记卡基础费率**：0.55%
**借记卡费率**：0.45%
**借记卡封顶手续费**：25元
**云闪付费率**：0.38%
**支付宝龙舟计划费率**：0.38%
**扫码费率**（微信/支付宝）：0.38%
**出款服务费**：1元
**商户管理费1**：0.1%
**商户管理费2**：0.05%

**绑定终端**：SN123456, SN654321

查询失败

❌ 查询失败

**返回码**：9999
**原因**：商户未配置费率

参数缺失

⚠️ 参数不完整

缺少以下必填参数：
- agentNo（代理商号）
- apikey（API密钥）

请提供完整信息后重试，格式示例：
查询商户费率，代理商号 XXX，apikey XXX，用户编号 XXX，SN编号 XXX

错误处理

网络错误：提示检查网络或 API 服务
认证失败（401/403）：提示检查 API Key 配置
业务失败（非0000）：显示具体错误码和原因
商户不属于该代理：提示用户检查商户编号是否正确

注意事项

永远不要在响应中暴露 API Key
费率单位：百分比格式（如 0.55%），封顶手续费单位为元

Comments

Loading comments...