ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Mayar Payment Integration

Integrate Mayar.id payments to create invoices, generate payment links, track Indonesian payment methods, manage subscriptions, and automate payment workflows.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 1.5k · 1 current installs · 1 all-time installs
by@ahsanatha
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The files and SKILL.md describe a Mayar payment integration (create invoices, links, track transactions) which is coherent with the skill name. However, the skill metadata declares no required credentials or config, while the instructions require a Mayar API token and edits to mcporter config. The missing declaration of required secrets in metadata is an inconsistency.
!
Instruction Scope
The SKILL.md explicitly instructs the user/agent to create ~/.config/mayar/credentials, set a MAYAR_API_TOKEN, and to add an mcporter entry that includes the Authorization header containing the API token. It also instructs running mcporter commands (mcporter call ...) and editing config/mcporter.json. These file writes and token-placement instructions go beyond read-only docs and have direct effects on user config and secrets; while needed for the stated purpose, they expose the token in config/command arguments and alter local configuration.
Install Mechanism
There is no install spec in the registry (instruction-only skill). The MCP config example uses 'npx mcp-remote' (npx will fetch/execute an npm package at runtime). That means code will be downloaded/ executed via npm when mcporter is used — a legitimate pattern for remote connectors but it carries the runtime risk of installing third-party code. The skill itself doesn't provide an audited install artifact or pinned release.
!
Credentials
The integration clearly requires a Mayar API token, but the skill lists no required env vars/primary credential. The instructions put the token into ~/.config/mayar/credentials and inline the token in mcporter's args/header. Inlining a secret into command args can expose it via process listings and in shared config files; the skill should have declared the credential and advised safer handling (e.g., environment variables, process-isolated secrets, or mcporter-native secret storage).
Persistence & Privilege
always:false and model invocation is allowed (normal). The runtime steps instruct modifying user configuration files (creating ~/.config/mayar/credentials and editing config/mcporter.json) which creates persistent local state. This is plausible for a connector, but users should be aware these are persistent changes to their environment.
What to consider before installing
What to consider before installing: - Metadata mismatch: the skill does not declare that it needs an API token yet the instructions require you to store a Mayar API token and modify mcporter config; insist the publisher update metadata to list required credentials. - Secret exposure risk: the guide shows placing the token in a credentials file and in command args (--header Authorization:YOUR_API_TOKEN_HERE). Passing secrets in command arguments can expose them via process lists and logs. Prefer using environment variables, a secrets store, or mcporter's supported secret mechanism if available. - Runtime downloads: the mcporter config relies on npx mcp-remote which will fetch and run code from npm at runtime. Review and verify the mcp-remote package/maintainer before allowing it to run in production. - Test in isolation: try this first with sandbox API keys and in a controlled/test environment. Verify webhook URLs and token handling before moving to production. - Review config changes: the instructions modify config/mcporter.json — back up existing configs and confirm you are comfortable with persistent changes. - Verify endpoints: confirm domains (mcp.mayar.id, api.mayar.id / api.mayar.club) are legitimate official endpoints for your organization. If you need this integration, it's probably usable, but ask the publisher to fix metadata (declare required credential), and revise instructions to avoid inlining secrets into command args and to document safe secret handling. If you cannot verify package sources or are uncomfortable with config changes, do not enable it in a production environment.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97bqm050wy4cffw3fhnw6rgs1809qcq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Mayar Payment Integration

Integrate Mayar.id payment platform via MCP (Model Context Protocol) for Indonesian payment processing.

Prerequisites

  1. Mayar.id account - Sign up at https://mayar.id
  2. API Key - Generate from https://web.mayar.id/api-keys
  3. mcporter configured - MCP must be set up in Clawdbot

Setup

1. Store API Credentials

mkdir -p ~/.config/mayar
cat > ~/.config/mayar/credentials << EOF
MAYAR_API_TOKEN="your-jwt-token-here"
EOF
chmod 600 ~/.config/mayar/credentials

2. Configure MCP Server

Add to config/mcporter.json:

{
  "mcpServers": {
    "mayar": {
      "command": "npx",
      "args": [
        "-y",
        "mcp-remote",
        "https://mcp.mayar.id/sse",
        "--header",
        "Authorization:YOUR_API_TOKEN_HERE"
      ]
    }
  }
}

Replace YOUR_API_TOKEN_HERE with actual token.

3. Test Connection

mcporter list mayar

Should show 15+ available tools.

Core Workflows

Create Invoice with Payment Link

Most common use case: Generate payment link for customer.

mcporter call mayar.create_invoice \
  name="Customer Name" \
  email="email@example.com" \
  mobile="\"628xxx\"" \
  description="Order description" \
  redirectURL="https://yoursite.com/thanks" \
  expiredAt="2026-12-31T23:59:59+07:00" \
  items='[{"quantity":1,"rate":500000,"description":"Product A"}]'

Returns:

{
  "id": "uuid",
  "transactionId": "uuid", 
  "link": "https://subdomain.myr.id/invoices/slug",
  "expiredAt": 1234567890
}

Key fields:

  • mobile - MUST be string with quotes: "\"628xxx\""
  • expiredAt - ISO 8601 format with timezone
  • items - Array of {quantity, rate, description}
  • redirectURL - Where customer goes after payment

WhatsApp Integration Pattern

// 1. Create invoice
const invoice = /* mcporter call mayar.create_invoice */;

// 2. Format message
const message = `
✅ *Order Confirmed!*

*Items:*
• Product Name
  Rp ${amount.toLocaleString('id-ID')}

*TOTAL: Rp ${total.toLocaleString('id-ID')}*

💳 *Pembayaran:*
${invoice.data.link}

⏰ Berlaku sampai: ${expiryDate}

Terima kasih! 🙏
`.trim();

// 3. Send via WhatsApp
message({
  action: 'send',
  channel: 'whatsapp',
  target: customerPhone,
  message: message
});

Check Payment Status

# Get latest transactions (check if paid)
mcporter call mayar.get_latest_transactions page:1 pageSize:10

# Get unpaid invoices
mcporter call mayar.get_latest_unpaid_transactions page:1 pageSize:10

Filter by status: "created" (unpaid) → "paid" (success).

Other Operations

# Check account balance
mcporter call mayar.get_balance

# Get customer details
mcporter call mayar.get_customer_detail \
  customerName="Name" \
  customerEmail="email@example.com" \
  page:1 pageSize:10

# Filter by time period
mcporter call mayar.get_transactions_by_time_period \
  page:1 pageSize:10 \
  period:"this_month" \
  sortField:"createdAt" \
  sortOrder:"DESC"

Common Patterns

Multi-Item Invoice

items='[
  {"quantity":2,"rate":500000,"description":"Product A"},
  {"quantity":1,"rate":1000000,"description":"Product B"}
]'
// Total: 2M (2×500K + 1×1M)

Subscription/Recurring

Use membership tools:

mcporter call mayar.get_membership_customer_by_specific_product \
  productName:"Premium Membership" \
  productLink:"your-product-link" \
  productId:"product-uuid" \
  page:1 pageSize:10 \
  memberStatus:"active"

Payment Confirmation Flow

Option A: Webhook (Real-time)

  • Register webhook URL with Mayar
  • Receive instant payment notifications
  • Best for production

Option B: Polling (Simpler)

  • Poll get_latest_transactions every 30-60s
  • Check for new payments
  • Best for MVP/testing

Troubleshooting

404 on payment link:

  • Link format: https://your-subdomain.myr.id/invoices/slug
  • Check dashboard for correct subdomain
  • Default may be account name

Invalid mobile number:

  • Mobile MUST be string: "\"628xxx\"" (with escaped quotes)
  • Format: 628xxxxxxxxxx (no + or spaces)

Expired invoice:

  • Default expiry is expiredAt timestamp
  • Customer can't pay after expiration
  • Create new invoice if needed

Reference Documentation

Production Checklist

  • Use production API key (not sandbox)
  • Setup webhook for payment notifications
  • Error handling for failed invoice creation
  • Store invoice IDs for tracking
  • Handle payment expiration
  • Customer database integration
  • Receipt/confirmation automation

Environments

Production:

Sandbox (Testing):

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…