ClawHub

Meerkat Governance

v1.0.4

AI governance API with two endpoints. Shield scans untrusted content for prompt injection and threats. Verify checks AI output for hallucinations, numerical...

0· 473·0 current·0 all-time
by@7789996399
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (governance: shield and verify endpoints) align with what the skill asks for: a single MEERKAT_API_KEY and curl-style HTTP calls to api.meerkatplatform.com. Nothing in the metadata or SKILL.md requires unrelated cloud credentials, system binaries, or local configuration.
Instruction Scope
SKILL.md contains explicit curl examples and descriptions of the two API endpoints and does not instruct the agent to read unrelated files, search system state, or exfiltrate other credentials. It states the developer controls which content is sent and that the skill does not auto-activate, which is consistent with an instruction-only API integration.
Install Mechanism
There is no install spec and no code files — the skill is instruction-only and relies on outbound HTTPS requests. That is low-risk compared with download-and-exec install mechanisms.
Credentials
The skill requires a single API key (MEERKAT_API_KEY), which is proportionate for a hosted API service. Minor inconsistency: registry metadata shows no 'primary credential' but the SKILL.md and requirements declare MEERKAT_API_KEY; this is a small metadata omission rather than a security problem.
Persistence & Privilege
always is false and the skill is instruction-only with no install, so it does not request persistent system presence. The normal platform default allowing autonomous invocation remains, but that is expected and not combined with other red flags here.
Assessment
This skill appears coherent: it calls an external governance API and needs one API key. Before installing, verify the endpoint hostname (api.meerkatplatform.com) and TLS certificate, review Meerkat's privacy and data-retention policy, restrict and rotate the API key if possible, and monitor X-Meerkat-Usage/X-Meerkat-Remaining headers for unexpected activity. Because the skill makes outbound requests, avoid sending highly sensitive raw data unless you confirm the vendor's retention and jurisdiction policies. The metadata omission of a declared 'primary credential' is minor but you may want to confirm that MEERKAT_API_KEY is the only secret required and that the key's permissions are limited.

Like a lobster shell, security has layers — review code before you run it.

governancevk976kgyggkqnk2p4q8jkfrycvh81g1vahallucination-detectionvk97f95jsb450e1hv33sy1xbwmn81hqw8latestvk97bzdwe3xcmet4j2v6jcgva3s81vsnaprompt-injectionvk97f95jsb450e1hv33sy1xbwmn81hqw8safetyvk976kgyggkqnk2p4q8jkfrycvh81g1vasecurityvk976kgyggkqnk2p4q8jkfrycvh81g1va

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔒 Clawdis
EnvMEERKAT_API_KEY

Comments