ClawHub
Back to skill
v1.0.4

Meerkat Governance

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:54 AM.

Analysis

This is a coherent governance API integration, but users should know it sends selected content to Meerkat and uses a Meerkat API key.

GuidanceThis skill appears coherent and purpose-aligned. Before installing, confirm you are comfortable sending selected prompts, outputs, and source data to Meerkat, protect the MEERKAT_API_KEY, and review the provider’s audit-retention and privacy terms for sensitive use cases.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityInfoConfidenceHighStatusNote
SKILL.md
-H "Authorization: Bearer $MEERKAT_API_KEY"

The integration requires a bearer API key for Meerkat, which is expected for this service but should be treated as an account credential.

User impactIf the API key is exposed, another party could use the Meerkat account quota or access account-linked audit records permitted by that key.
RecommendationStore the key securely, avoid pasting it into prompts or shared files, and rotate it if it may have been exposed.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
curl -s -X POST https://api.meerkatplatform.com/v1/verify ... -d "{\"input\": \"<USER_REQUEST>\", \"output\": \"<AI_OUTPUT>\", \"context\": \"<SOURCE_DATA>\", \"domain\": \"<DOMAIN>\"}"

The skill sends user requests, AI outputs, and source data to an external provider endpoint, which is central to the stated governance purpose but still creates an external data boundary.

User impactPotentially sensitive healthcare, financial, legal, or business content may be sent to Meerkat if the agent or developer chooses to verify it.
RecommendationOnly send content that is appropriate for Meerkat to process, and review the provider privacy policy before using it with sensitive data.
Memory and Context Poisoning
SeverityLowConfidenceHighStatusNote
SKILL.md
Every shield and verify call is logged with an audit ID. The `/v1/audit/<audit_id>` endpoint retrieves the full record. Add `?include_session=true` to see all linked attempts in a retry session.

The artifacts disclose provider-side audit records and session linkage. This is purpose-aligned for governance, but it means metadata and linked verification history may persist outside the local agent.

User impactAudit metadata and session history may be retrievable later through the Meerkat API.
RecommendationUnderstand what audit metadata is retained and who can access it under the API key before using the skill for sensitive workflows.