Meerkat Governance
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent governance API integration, but users should know it sends selected content to Meerkat and uses a Meerkat API key.
This skill appears coherent and purpose-aligned. Before installing, confirm you are comfortable sending selected prompts, outputs, and source data to Meerkat, protect the MEERKAT_API_KEY, and review the provider’s audit-retention and privacy terms for sensitive use cases.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Potentially sensitive healthcare, financial, legal, or business content may be sent to Meerkat if the agent or developer chooses to verify it.
The skill sends user requests, AI outputs, and source data to an external provider endpoint, which is central to the stated governance purpose but still creates an external data boundary.
curl -s -X POST https://api.meerkatplatform.com/v1/verify ... -d "{\"input\": \"<USER_REQUEST>\", \"output\": \"<AI_OUTPUT>\", \"context\": \"<SOURCE_DATA>\", \"domain\": \"<DOMAIN>\"}"Only send content that is appropriate for Meerkat to process, and review the provider privacy policy before using it with sensitive data.
If the API key is exposed, another party could use the Meerkat account quota or access account-linked audit records permitted by that key.
The integration requires a bearer API key for Meerkat, which is expected for this service but should be treated as an account credential.
-H "Authorization: Bearer $MEERKAT_API_KEY"
Store the key securely, avoid pasting it into prompts or shared files, and rotate it if it may have been exposed.
Audit metadata and session history may be retrievable later through the Meerkat API.
The artifacts disclose provider-side audit records and session linkage. This is purpose-aligned for governance, but it means metadata and linked verification history may persist outside the local agent.
Every shield and verify call is logged with an audit ID. The `/v1/audit/<audit_id>` endpoint retrieves the full record. Add `?include_session=true` to see all linked attempts in a retry session.
Understand what audit metadata is retained and who can access it under the API key before using the skill for sensitive workflows.