ClawHub

Shieldapi

v3.0.3

ShieldAPI — x402 Security Intelligence for AI Agents. 11 endpoints: password range check (k-anonymity), password check (deprecated), email breach lookup, dom...

0· 337·0 current·0 all-time
by@alberthild
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (ShieldAPI security intelligence, multiple reputation and breach endpoints) aligns with the runtime instructions (HTTP endpoints, demo mode, cost per call). Required runtime dependency is only curl, which is proportionate for an instruction-only skill that issues HTTP requests.
Instruction Scope
SKILL.md confines activity to calling ShieldAPI endpoints and explicitly warns about payment-key handling and privacy-preserving password checks (k-anonymity). It does advise sending skill/plugin URLs for the scan-skill endpoint and sending domains/IPs/URLs to ShieldAPI (the provider logs scanned items), so users should be aware that data will be sent off-agent. The guide mandates out-of-band signing for payments, but does not provide an integrated signer — this is operationally important and may be unclear to some deployments.
Install Mechanism
No install spec or third-party downloads; instruction-only skill with no code files is low-risk from an install perspective.
Credentials
The skill declares no required environment variables or credentials, which matches the 'no account, no API key' claim. However, the service requires on-chain USDC payments (x402) when not using demo mode; that implies the agent or integrator will need a signing mechanism or pre-built X-PAYMENT header generated by a wallet — the skill correctly forbids agents from handling raw private keys, so you must provide a secure signer (platform wallet, hardware signer, or proxy).
Persistence & Privilege
always is false and the skill has no install or configuration persistence. It does not request system-level privileges or attempt to modify other skills.
Assessment
This skill appears to do what it says (remote security checks) and requests no secrets or installs — but take these precautions before enabling it: 1) Use demo mode (?demo=true) first to verify responses without payments or data leakage. 2) Do NOT paste private keys, mnemonics, or wallet seeds into the agent; follow the SKILL.md guidance to use an out-of-band secure signer or platform wallet to produce any X-PAYMENT header. 3) Be aware that the provider explicitly logs scanned domains/URLs/IPs to build a 'Security Graph' — avoid sending sensitive or private hostnames, emails, or data you don't want shared. 4) Prefer the check-password-range (k-anonymity) endpoint instead of the deprecated full-hash endpoint for any password-related checks. 5) If you plan to use scan-skill or upload skill/plugin URLs, ensure those manifests contain no secrets before sending. 6) Verify the service endpoint (https://shield.vainplex.dev) and privacy policy yourself if you will use it with real data or real payments. If you need higher assurance, request the provider's cryptographic payment/invoice format and test a payment flow in a controlled environment first.

Like a lobster shell, security has layers — review code before you run it.

breachvk971hf5rndvkvsyxryks9dpedh81vxjbdomainvk971hf5rndvkvsyxryks9dpedh81vxjbintelligencevk971hf5rndvkvsyxryks9dpedh81vxjbipvk971hf5rndvkvsyxryks9dpedh81vxjblatestvk977zep62jawgbcwadqfqf70ss83qmkfpasswordvk971hf5rndvkvsyxryks9dpedh81vxjbphishingvk971hf5rndvkvsyxryks9dpedh81vxjbsecurityvk971hf5rndvkvsyxryks9dpedh81vxjburlvk971hf5rndvkvsyxryks9dpedh81vxjbx402vk971hf5rndvkvsyxryks9dpedh81vxjb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binscurl

Comments