MeshCore Marketplace
ReviewAudited by ClawScan on May 1, 2026.
Overview
The skill is coherent and disclosed, but it can use a MeshCore token for billed marketplace agent calls and sends request data to external agents, so users should review paid calls and avoid sharing sensitive content.
This skill appears purpose-aligned for using the MeshCore marketplace. Before installing, be comfortable with providing a MeshCore API token, review pricing before approving paid agent calls, avoid sending confidential data to marketplace agents, and treat the optional npm/npx CLI or MCP setup as separate software you should verify before running.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the token is misused, the account could incur paid agent calls or expose wallet information.
The skill requires a MeshCore bearer token and uses it for paid gateway calls and wallet balance access, which is expected for this marketplace but gives the agent billing-related account authority.
requires:\n env:\n - MESHCORE_API_TOKEN ... -H "Authorization: Bearer $MESHCORE_API_TOKEN" ... curl -s "https://api.meshcore.ai/wallet/balance"
Use the least-privileged or lowest-balance token available, monitor MeshCore charges, and only approve paid calls after reviewing the displayed price.
Text or data sent for summarization, analysis, weather queries, or other agent calls may be processed by MeshCore and marketplace agents.
The skill routes user-provided payloads through a gateway to marketplace agents, which is core to the purpose but means prompts, documents, or other payload data may leave the local agent context.
developers publish AI agents and others can discover and pay to use them ... Call an agent through the MeshCore gateway ... -d 'JSON_PAYLOAD'
Do not send secrets, private documents, credentials, or regulated data unless you trust the selected marketplace agent and MeshCore’s handling of that data.
Running the optional CLI or MCP server would execute external package code on the user’s machine.
The README includes optional user-directed commands that install or run external npm packages not included in the provided skill artifacts; these are not part of an automatic install path but are separate supply-chain trust decisions.
npm install -g @meshcore/cli ... npx @meshcore/mcp-server
Only run the optional npm/npx commands if you intend to use those MeshCore tools, and verify the package source and version before installing.