Shieldapi
ReviewAudited by ClawScan on May 10, 2026.
Overview
ShieldAPI appears to be a coherent security-checking API skill, but users should notice that it sends queried data to an external service and can incur USDC micropayment charges if connected to a signer.
This skill looks reasonable for security lookups, but treat it like an external paid API: test with demo=true, set payment limits before enabling USDC-paid calls, and avoid sending secrets or sensitive prompt/email/URL data unless you accept ShieldAPI’s handling and logging practices.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a payment signer is connected, use of the paid endpoints may spend small amounts of USDC per request.
The skill is designed to make external paid API calls. This is disclosed and purpose-aligned, but an agent with payment capability could incur per-request charges.
Payments are settled in USDC on Base Mainnet. All endpoints support free demo mode.
Use demo mode for testing and configure explicit approval, budgets, or spend limits before allowing paid calls.
A connected signer or wallet proxy can authorize payments, so its limits matter even though the skill does not request raw keys.
The artifact expects wallet/payment signing authority for paid x402 requests, while also instructing agents not to touch raw secrets.
Agents MUST NOT handle raw private keys or mnemonic phrases directly. Payment signing must be delegated to a secure signer module
Use a scoped, low-balance wallet or signer with approval prompts and never provide seed phrases or raw private keys to the agent.
Domains, URLs, IPs, emails, or prompt text submitted for checks may leave the local environment; some indicators may be retained by the provider.
The skill sends user-selected security queries to an external provider, and the provider states that some scanned indicators are logged.
We actively log scanned domains, URLs, and IPs to build a global Security Graph. ... GET /api/check-email?email=<email> ... GET /api/check-prompt?text=<prompt-text>
Only submit data you are comfortable sharing with ShieldAPI, avoid secrets in prompt or URL checks, and review the linked privacy policy before use.