Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Meridian GIS API
v1.0.2Use the Meridian GIS API (meridian.nodeapi.ai) to process geospatial data. Handles the full x402 payment flow automatically — sends a request, reads the 402...
⭐ 0· 129·0 current·0 all-time
by@eianray
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill claims to provide GIS processing with an x402 micropayment flow, which matches the endpoints and payment docs included. However, the SKILL.md and references differ on base URLs (e.g., meridian.nodeapi.ai vs meridianapi.nodeapi.ai) and the description says "No accounts or API keys needed" while the payment flow requires signing with a wallet private key. Those inconsistencies make it unclear what credentials or user secrets are actually required.
Instruction Scope
The included instructions explicitly show using a WALLET_PRIVATE_KEY and signing EIP-3009 transferWithAuthorization to produce an X-PAYMENT header. SKILL.md and references instruct installing/using an x402 client and either automatic signing (passing a private key) or manual signing. The instructions therefore direct use of a highly sensitive secret (wallet private key) without describing safer alternatives (external wallet pop-ups, hardware wallets, or user-mediated signing).
Install Mechanism
This is an instruction-only skill (no install spec and no code files), which lowers installation risk. The docs reference third-party libraries (pip/npm 'x402') for convenience, but no automated installer is provided. The presence of install recommendations is expected but means the agent or user may be prompted to install packages.
Credentials
The skill declares no required environment variables, yet examples and the payment reference recommend supplying a WALLET_PRIVATE_KEY private key to sign payments. Requesting or advising the agent to read/store a wallet private key is high-risk and disproportionate unless the user intentionally wants the agent to hold that secret. There is no declaration of this credential in the skill metadata, and the docs do not clearly describe safer signing workflows.
Persistence & Privilege
The skill does not request always:true, does not include an install spec that would write files, and does not ask to modify other skills or system-wide settings. It appears not to request elevated persistent privileges.
What to consider before installing
This skill appears to implement a paid GIS API that charges via x402 (USDC on Base). Before installing or using it: (1) do not paste or store your wallet private key in environment variables or hand it to an agent — the skill's examples suggest passing WALLET_PRIVATE_KEY to sign payments, which would give full control of funds; prefer a workflow where you sign payments locally or use an external wallet/provider. (2) Ask the publisher to clarify the signing flow and whether client-side signing (wallet pop-up or hardware wallet) is supported instead of providing raw keys. (3) Verify the correct API host (the docs use inconsistent domains: meridian.nodeapi.ai vs meridianapi.nodeapi.ai) and independently confirm the pay_to and USDC contract addresses before sending any payments. (4) If you must use this skill, require explicit manual approval for any payment operations and avoid storing long-lived secrets in the agent environment. If the vendor cannot explain why a private key is needed or cannot provide a safer signing option, treat the skill as high-risk.Like a lobster shell, security has layers — review code before you run it.
latestvk975vr214wyp1cq7edfhdpmh7d833mj7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.