pp-mercury
Facilitates account management and transaction processing using the Mercury banking API for seamless payment handling.
Install this skill
or
55/100
Security score
The pp-mercury skill was audited on Jun 10, 2026 and we found 9 security issues across 2 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
medium line 183
Webhook reference - potential data exfiltration
SourceSKILL.md
| 183 | **webhooks** — Manage webhooks |
medium line 185
Webhook reference - potential data exfiltration
SourceSKILL.md
| 185 | - `mercury-pp-cli webhooks create` — Register a new webhook endpoint to receive event notifications |
medium line 186
Webhook reference - potential data exfiltration
SourceSKILL.md
| 186 | - `mercury-pp-cli webhooks delete` — Delete a webhook endpoint |
medium line 187
Webhook reference - potential data exfiltration
SourceSKILL.md
| 187 | - `mercury-pp-cli webhooks get` — Retrieve a paginated list of all webhook endpoints for your organization. Supports filtering by status. |
medium line 188
Webhook reference - potential data exfiltration
SourceSKILL.md
| 188 | - `mercury-pp-cli webhooks get-webhookendpointid` — Retrieve details of a specific webhook endpoint by ID |
medium line 189
Webhook reference - potential data exfiltration
SourceSKILL.md
| 189 | - `mercury-pp-cli webhooks update` — Update the configuration of an existing webhook endpoint. A webhook that has been disabled due to consecutive... |
medium line 264
Webhook reference - potential data exfiltration
SourceSKILL.md
| 264 | | `webhook:<url>` | POST the output body to the URL (`application/json` or `application/x-ndjson` when `--compact`) | |
medium line 266
Webhook reference - potential data exfiltration
SourceSKILL.md
| 266 | Unknown schemes are refused with a structured error naming the supported set. Webhook failures return non-zero and log the URL + HTTP status on stderr. |
medium line 252
Access to hidden dotfiles in home directory
SourceSKILL.md
| 252 | Entries are stored locally at `~/.mercury-pp-cli/feedback.jsonl`. They are never POSTed unless `MERCURY_FEEDBACK_ENDPOINT` is set AND either `--send` is passed or `MERCURY_FEEDBACK_AUTO_SEND=true`. De |
Scanned on Jun 10, 2026
View Security DashboardGitHub Stars 1.4K
Rate this skill
Categoryfinance accounting
UpdatedJune 10, 2026
claudeclaude-codecursorfrontendstripedocxgitapidatabasetestingbackendaccountantfinancial-analystcfo-fparevenue-operationsbusiness-developmentfinance accountingsales
mvanhorn/printing-press-library