Back to skill
Skillv0.1.3
VirusTotal security
Metered API Marketplace · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
BenignApr 30, 2026, 4:39 AM
- Hash
- 99f3a2eb06ec7661a6395ef5bf5b1942dbad37258bf96043a46261ec834a1d83
- Source
- palm
- Verdict
- benign
- Code Insight
- Type: OpenClaw Skill Name: metered-api-marketplace Version: 0.1.3 The skill bundle implements a metered API marketplace with API key authentication, usage tracking, and payment webhooks. The code uses standard security practices such as HMAC-SHA256 for signature verification with timing-safe comparisons, and parameterized queries for all database interactions (PostgreSQL via `pg` library), effectively preventing SQL injection. The 'transformers' are pure functions, explicitly designed to be stateless and without I/O, which limits their attack surface. Sensitive configurations like `DATABASE_URL`, `ADMIN_TOKEN`, and various webhook secrets are expected to be provided via environment variables, which is a standard practice. While misconfiguration of these secrets could lead to vulnerabilities, the code itself does not exhibit any malicious intent, data exfiltration, unauthorized command execution, or prompt injection attempts in the `SKILL.md` or other documentation. All functionalities align with the stated purpose of building a monetized API service.
- External report
- View on VirusTotal