mercadopago
Integrates Mercado Pago for seamless payment processing in Node.js/TypeScript applications, ideal for Latin American markets.
Install this skill
Security score
The mercadopago skill was audited on May 12, 2026 and we found 38 security issues across 4 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 96 | const manifest = `id:${dataId};request-id:${xRequestId};ts:${ts};`; |
Fetch to external URL
| 139 | const response = await fetch('https://api.mercadopago.com/oauth/token', { |
Fetch to external URL
| 156 | const response = await fetch('https://api.mercadopago.com/oauth/token', { |
Webhook reference - potential data exfiltration
| 4 | Mercado Pago payment integration for Node.js/TypeScript applications. Covers the official MCP Server, Node.js SDK (mercadopago npm), Checkout Pro, Checkout Bricks, Checkout API, OAuth marketplace mode |
Webhook reference - potential data exfiltration
| 5 | Use this skill whenever working with Mercado Pago payments, MercadoPago API, checkout preferences, payment links, MP webhooks, MP OAuth, marketplace fees, or the mercadopago npm package. Also triggers |
Webhook reference - potential data exfiltration
| 54 | notification_url: 'https://yoursite.com/webhooks/mp?source_news=webhooks', |
Webhook reference - potential data exfiltration
| 74 | ## Webhook Handling |
Webhook reference - potential data exfiltration
| 76 | Webhooks notify you of payment status changes. The payload only contains `data.id` (payment ID) — always fetch full payment details after receiving a webhook. |
Webhook reference - potential data exfiltration
| 83 | function verifyWebhookSignature( |
Webhook reference - potential data exfiltration
| 87 | secret: string // webhook secret from MP dashboard |
Webhook reference - potential data exfiltration
| 104 | ### Webhook Best Practices |
Webhook reference - potential data exfiltration
| 108 | - Always fetch full payment via `Payment.get({ id })` after webhook |
Webhook reference - potential data exfiltration
| 109 | - Append `?source_news=webhooks` to `notification_url` to get only webhook format (not legacy IPN) |
Webhook reference - potential data exfiltration
| 110 | - Webhook URL must be HTTPS and publicly accessible |
Webhook reference - potential data exfiltration
| 206 | Tools: `create_payment`, `create_payment_link`, `search_payments`, `get_payment`, `refund_payment`, `create_subscription`, `create_customer`, `batch_create_payments`, `monitor_payment`, `analyze_fraud |
Webhook reference - potential data exfiltration
| 232 | For detailed patterns including database schemas, multi-tenant preference creation, payment status details, rejection reason codes, and the full webhook topic list, read `references/api-patterns.md`. |
Webhook reference - potential data exfiltration
| 241 | - [Webhooks](https://www.mercadopago.com.ar/developers/en/docs/your-integrations/notifications/webhooks) |
Access to .env file
| 143 | client_id: process.env.MP_CLIENT_ID, |
Access to .env file
| 144 | client_secret: process.env.MP_CLIENT_SECRET, |
Access to .env file
| 147 | redirect_uri: process.env.MP_REDIRECT_URI, |
Access to .env file
| 160 | client_id: process.env.MP_CLIENT_ID, |
Access to .env file
| 161 | client_secret: process.env.MP_CLIENT_SECRET, |
External URL reference
| 54 | notification_url: 'https://yoursite.com/webhooks/mp?source_news=webhooks', |
External URL reference
| 56 | success: 'https://yoursite.com/payment/success', |
External URL reference
| 57 | failure: 'https://yoursite.com/payment/failure', |
External URL reference
| 58 | pending: 'https://yoursite.com/payment/pending' |
External URL reference
| 129 | https://auth.mercadopago.com/authorization |
External URL reference
| 134 | &redirect_uri=https://yoursite.com/connect/mp/callback |
External URL reference
| 139 | const response = await fetch('https://api.mercadopago.com/oauth/token', { |
External URL reference
| 156 | const response = await fetch('https://api.mercadopago.com/oauth/token', { |
External URL reference
| 183 | "args": ["-y", "mcp-remote@latest", "https://mcp.mercadopago.com/mcp", |
External URL reference
| 238 | - [Checkout Pro](https://www.mercadopago.com.ar/developers/en/docs/checkout-pro/overview) |
External URL reference
| 239 | - [Checkout Bricks](https://www.mercadopago.com.ar/developers/en/docs/checkout-bricks/overview) |
External URL reference
| 240 | - [Checkout API](https://www.mercadopago.com.ar/developers/en/docs/checkout-api-orders/overview) |
External URL reference
| 241 | - [Webhooks](https://www.mercadopago.com.ar/developers/en/docs/your-integrations/notifications/webhooks) |
External URL reference
| 242 | - [OAuth / Credentials](https://www.mercadopago.com.ar/developers/en/docs/your-integrations/credentials) |
External URL reference
| 244 | - [API Reference](https://www.mercadopago.com.ar/developers/en/reference) |
External URL reference
| 245 | - [MCP Server Docs](https://www.mercadopago.com.uy/developers/es/docs/mcp-server/overview) |