Maestro Api
WarnAudited by ClawScan on May 18, 2026.
Overview
The skill is coherent for Maestro API payments, but it asks for wallet/private-key authority and can spend USDC credits without clearly requiring approval and limits for every payment.
Before installing, only use this with a dedicated low-balance wallet or scoped signer, verify the Maestro endpoint and payment terms yourself, and require confirmation for every USDC purchase rather than only the first paid request.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user provides a main wallet private key or broadly authorized signer, the agent could sign authentication and payment messages with funds at risk if misused.
A raw wallet private key or signer plus funded USDC/gas grants high-impact account and payment authority; the artifacts do not define a scoped signer, safe key-handling boundary, or spend limit.
Ask only for what is required to sign and pay: - `PRIVATE_KEY`, or a runtime CDP wallet signer - enough `USDC` and native gas on one network from the live `402` response
Use a dedicated low-balance wallet or scoped signer, do not paste a main wallet private key, and require the skill to declare the credential and payment limits clearly.
The agent may spend USDC on API credits during follow-up requests without a clearly stated approval requirement for each purchase.
The skill authorizes credit purchases from live server-provided payment terms, but only explicitly requires confirmation before the first paid mainnet request, leaving later purchases and amounts insufficiently bounded.
If that retry returns `402` plus `Authorization: Bearer <jwt>`, buy credits from the latest `accepts[]` entry ... Confirm before the first paid mainnet request.
Require explicit user approval for every paid request, including network, payee, asset, exact amount, maximum spend, and whether retries may reuse the payment payload.