🛡️ ShieldAPI — Security Intelligence for AI Agents

Data & Threat Intelligence Manifesto / Privacy Policy:
https://shield.vainplex.dev/privacy.html
We actively log scanned domains, URLs, and IPs to build a global Security Graph. We do not store PII. Every scan makes the whole network safer.

ShieldAPI is a pay-per-request Security Intelligence Service built on the x402 protocol (HTTP 402 Payment Required). It lets any AI agent perform comprehensive security checks — without accounts, API keys, or subscriptions. Just call, pay, get results.

Payments are settled in USDC on Base Mainnet. All endpoints support free demo mode.

Base URL: https://shield.vainplex.dev/api Health/Discovery: GET /api/health (free, lists all endpoints + prices)

---

🔒 Security & Privacy (Agent Guidelines)

1. Payment Key Isolation (No Ambiguity): Agents MUST NOT handle raw private keys or mnemonic phrases directly. Payment signing must be delegated to a secure signer module (e.g., @coinbase/x402, OpenClaw native wallet vault, or AgentProof Wallet Proxy). The X-PAYMENT header is generated out-of-band by the secure enclave.

2. Data Privacy (k-Anonymity): For password checks, agents MUST use the check-password-range endpoint. Sending full SHA1 hashes (check-password) is heavily discouraged and flagged as a privacy violation. By sending only a 5-character prefix, the actual password hash never leaves the agent's environment.

3. Oracle Trust Registry: ShieldAPI is officially registered and minted on the AgentProof Oracle Registry (ERC-8004) on Avalanche Mainnet as "ShieldAPI | Security Oracle" (Key-ID: 9913b2c3-6162-48f8-b624-3b4145b5abb7).

---

The 11 Endpoints

1. check-password-range — k-Anonymity Range Lookup (RECOMMENDED)

Returns all matching hash suffixes for a 5-char prefix. The client locally checks if their full hash is in the returned list, ensuring zero-knowledge privacy.

• Cost: 0.001 USDC
• Request: GET /api/check-password-range?prefix=<5-char-sha1-prefix>
• Returns: { prefix, total_matches, results: [{ suffix, count }] }

2. check-password — Full Password Breach Check (⚠️ DEPRECATED)

Checks a full SHA1 hash against 900M+ leaked passwords. Warning: Do not use for user data. Use range check instead.

• Cost: 0.001 USDC
• Request: GET /api/check-password?hash=<40-char-sha1>
• Returns: { found: true/false, count: 3861493 }

3. check-domain — Domain Reputation

Checks DNS records, SPF/DMARC, SSL certificate, and queries Spamhaus/SpamCop/SORBS blacklists.

• Cost: 0.003 USDC
• Request: GET /api/check-domain?domain=<domain>
• Returns: { domain, dns, blacklists, ssl, risk_score, risk_level }

4. check-ip — IP Reputation

Checks IPv4 against 4 blacklists, detects Tor exit nodes, resolves reverse DNS.

• Cost: 0.002 USDC
• Request: GET /api/check-ip?ip=<ipv4>
• Returns: { ip, blacklists, is_tor_exit, reverse_dns, risk_score, risk_level }

5. check-email — Email Breach Exposure

Checks which data breaches affected the email's domain. Returns breach details, exposed data types, and risk recommendations.

• Cost: 0.005 USDC
• Request: GET /api/check-email?email=<email>
• Returns: { breaches: [...], domain_breach_count, risk_score, risk_level, recommendations }

6. check-url — URL Safety & Phishing Detection

Checks URL against URLhaus malware database, runs heuristic analysis (brand impersonation, suspicious TLDs, redirect chains).

• Cost: 0.003 USDC
• Request: GET /api/check-url?url=<url>
• Returns: { url, checks: { urlhaus, heuristics, http }, threats, risk_score, risk_level }

7. full-scan — Combined Security Scan

Runs all applicable checks in parallel. Pass any combination of inputs.

• Cost: 0.01 USDC
• Request: GET /api/full-scan?email=<email>&domain=<domain>&ip=<ip>&url=<url>
• Returns: Combined results with overall risk score and human-readable summary

8. scan-skill — AI Skill Security Scanner

Runs supply chain security checks (8 categories) against agent skills/plugins.

• Cost: 0.02 USDC
• Request: GET /api/scan-skill?url=<url>

9. check-prompt — Prompt Injection Detection

Analyzes prompts against 200+ known prompt injection patterns (<100ms).

• Cost: 0.005 USDC
• Request: GET /api/check-prompt?text=<prompt-text>

10. check-mcp-trust — MCP Server Trust Score

Multi-signal security, reliability & supply chain analysis for MCP servers.

• Cost: 0.02 USDC
• Request: GET /api/check-mcp-trust?pkg=<pkg>

11. check-package — Supply Chain Pre-Flight Check

Validates software packages before installation.

• Cost: 0.01 USDC
• Request: GET /api/check-package?name=<pkg-name>

---

Demo Mode

All 11 endpoints support ?demo=true — returns realistic fake data, no payment required. Perfect for testing your integration before going live.

# Try it now:
curl -s "https://shield.vainplex.dev/api/check-url?demo=true"
curl -s "https://shield.vainplex.dev/api/full-scan?demo=true"
curl -s "https://shield.vainplex.dev/api/check-email?demo=true"

---

x402 Payment Flow

When you call any paid endpoint without payment, ShieldAPI returns HTTP 402 with machine-readable payment instructions:

{
  "x402Version": 1,
  "error": "X-PAYMENT header is required",
  "accepts": [{
    "scheme": "exact",
    "network": "base",
    "maxAmountRequired": "3000",
    "asset": "0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913",
    "payTo": "0x...",
    "resource": "https://shield.vainplex.dev/api/check-domain?domain=example.com",
    "description": "Domain reputation & security check"
  }]
}

An x402-enabled client (using @coinbase/x402, @x402/core, or an Agent native wallet) will:

1. Read the 402 response
2. Delegate the USDC signature to a secure enclave/wallet on Base Sepolia/Mainnet
3. Retry with X-PAYMENT header containing the signed payload
4. Receive the security check results

---

Source & Links

• Live API: https://shield.vainplex.dev/api/health
• AgentProof Oracle ID: 9913b2c3-6162-48f8-b624-3b4145b5abb7 (ERC-8004 Avalanche)
• Protocol: https://x402.org
• Data: HIBP (CC-BY), PhishTank, URLhaus (abuse.ch), Spamhaus