技能详情(站内镜像,无评论)
许可证:MIT-0
MIT-0 ·免费使用、修改和重新分发。无需归因。
版本:v0.2.0
统计:⭐ 0 · 237 · 0 current installs · 0 all-time installs
⭐ 0
安装量(当前) 0
🛡 VirusTotal :良性 · OpenClaw :可疑
Package:alberthild/shieldapi
安全扫描(ClawHub)
- VirusTotal :良性
- OpenClaw :可疑
OpenClaw 评估
The skill's stated functionality matches its description, but important implementation and operational gaps (payment signing, source availability, and privacy risks from sending full password hashes) make its claims unclear and potentially risky.
目的
The skill's name and endpoint list match a security-intelligence service; requiring only curl is coherent for demo/test calls. However the skill advertises pay-per-request USDC payments (x402) yet declares no mechanism or required credentials for signing payments (no wallet/private-key env var or client library install). That mismatch means the described paid flow cannot be executed as-is with just curl — the README references x402 libraries b…
说明范围
SKILL.md instructs agents to call external endpoints and to submit inputs including full SHA1 password hashes, emails, domains, IPs, and URLs. Sending full password hashes or other sensitive identifiers to a third-party service is a privacy/security risk — the k-anonymity endpoint exists but the primary `check-password` endpoint explicitly sends full hashes. The payment flow is described at a protocol level but the instructions do not explain …
安装机制
This is an instruction-only skill with no install spec or code files; that minimizes disk write/execute risk. It only requires curl to be present, which is reasonable for the provided curl examples.
证书
The skill declares no required environment variables or credentials despite describing a paid flow requiring USDC signatures. If a user wanted to perform paid requests, the agent would need access to a wallet/private key or an x402-capable signer; the SKILL.md neither requests nor documents how those secrets should be provided. That omission is a proportionality/integrity issue. Also the skill could cause sensitive data to be transmitted off-h…
持久
The skill does not request persistent presence (always:false), does not modify other skills, and has no install component. Autonomous invocation is enabled by default but not combined here with other concerning privileges.
安装(复制给龙虾 AI)
将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。
请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「ShieldAPI Security Intelligence」。简介:ShieldAPI — x402 Security Intelligence for AI Agents. 7 endpoints: password bre…。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/alberthild/shieldapi/SKILL.md
(来源:yingzhi8.cn 技能库)SKILL.md
---
name: shieldapi
description: "ShieldAPI — x402 Security Intelligence for AI Agents. 7 endpoints: password breach check (900M+ HIBP hashes), email breach lookup, domain reputation (DNS/blacklists/SSL/SPF/DMARC), IP reputation (Tor/blacklists), URL safety (phishing/malware/brand impersonation), and full security scan. Pay-per-request with USDC micropayments ($0.001-$0.01). No account, no API key, no subscription. Demo mode on all endpoints."
metadata:
{
"openclaw": {
"requires": { "bins": ["curl"] }
}
}
---
# 🛡️ ShieldAPI — Security Intelligence for AI Agents
ShieldAPI is a pay-per-request Security Intelligence Service built on the **x402** protocol (HTTP 402 Payment Required). It lets any AI agent perform comprehensive security checks — without accounts, API keys, or subscriptions. Just call, pay, get results.
Payments are settled in USDC on Base Sepolia. All endpoints support free demo mode.
**Base URL:** `https://shield.vainplex.dev/api`
**Health/Discovery:** `GET /api/health` (free, lists all endpoints + prices)
---
## Endpoints
### 1. `check-password` — Password Breach Check
Checks a full SHA1 hash against 900M+ leaked passwords (HIBP Pwned Passwords).
- **Cost:** 0.001 USDC
- **Request:** `GET /api/check-password?hash=<40-char-sha1>`
- **Returns:** `{ found: true/false, count: 3861493 }`
### 2. `check-password-range` — k-Anonymity Range Lookup
Returns all matching hash suffixes for a 5-char prefix (privacy-preserving).
- **Cost:** 0.001 USDC
- **Request:** `GET /api/check-password-range?prefix=<5-char-sha1-prefix>`
- **Returns:** `{ prefix, total_matches, results: [{ suffix, count }] }`
### 3. `check-domain` — Domain Reputation
Checks DNS records, SPF/DMARC, SSL certificate, and queries Spamhaus/SpamCop/SORBS blacklists.
- **Cost:** 0.003 USDC
- **Request:** `GET /api/check-domain?domain=<domain>`
- **Returns:** `{ domain, dns, blacklists, ssl, risk_score, risk_level }`
### 4. `check-ip` — IP Reputation
Checks IPv4 against 4 blacklists, detects Tor exit nodes, resolves reverse DNS.
- **Cost:** 0.002 USDC
- **Request:** `GET /api/check-ip?ip=<ipv4>`
- **Returns:** `{ ip, blacklists, is_tor_exit, reverse_dns, risk_score, risk_level }`
### 5. `check-email` — Email Breach Exposure
Checks which data breaches affected the email's domain. Returns breach details, exposed data types, and risk recommendations.
- **Cost:** 0.005 USDC
- **Request:** `GET /api/check-email?email=<email>`
- **Returns:** `{ breaches: [...], domain_breach_count, risk_score, risk_level, recommendations }`
- **Example:** `test@linkedin.com` → 3 breaches (2012: 164M accounts, 2021 scrape: 125M, 2023 scrape: 19M)
### 6. `check-url` — URL Safety & Phishing Detection
Checks URL against URLhaus malware database, runs heuristic analysis (brand impersonation, suspicious TLDs, redirect chains), and probes HTTP.
- **Cost:** 0.003 USDC
- **Request:** `GET /api/check-url?url=<url>`
- **Returns:** `{ url, checks: { urlhaus, heuristics, http }, threats, risk_score, risk_level }`
- **Detects:** Malware distribution, brand impersonation (PayPal, Google, etc.), suspicious TLDs (.tk, .ml), excessive subdomains, login path keywords
### 7. `full-scan` — Combined Security Scan
Runs all applicable checks in parallel. Pass any combination of inputs.
- **Cost:** 0.01 USDC
- **Request:** `GET /api/full-scan?email=<email>&password_hash=<sha1>&domain=<domain>&ip=<ip>&url=<url>`
- **Returns:** Combined results with overall risk score and human-readable summary
- **Example:** `?email=test@linkedin.com&password_hash=5BAA61...` → "⚠️ Password found in 52M breaches, ⚠️ Domain affected by 3 breaches"
---
## Demo Mode
All 7 endpoints support `?demo=true` — returns realistic fake data, no payment required. Perfect for testing your integration before going live.
```bash
# Try it now:
curl -s "https://shield.vainplex.dev/api/check-url?demo=true"
curl -s "https://shield.vainplex.dev/api/full-scan?demo=true"
curl -s "https://shield.vainplex.dev/api/check-email?demo=true"
```
---
## x402 Payment Flow
When you call any paid endpoint without payment, ShieldAPI returns `HTTP 402` with machine-readable payment instructions:
```json
{
"x402Version": 1,
"error": "X-PAYMENT header is required",
"accepts": [{
"scheme": "exact",
"network": "base-sepolia",
"maxAmountRequired": "3000",
"asset": "0x036CbD53842c5426634e7929541eC2318f3dCF7e",
"payTo": "0x...",
"resource": "https://shield.vainplex.dev/api/check-domain?domain=example.com",
"description": "Domain reputation & security check"
}]
}
```
An x402-enabled client (using `@coinbase/x402`, `@x402/core`, or any x402 library) will:
1. Read the 402 response
2. Sign a USDC payment on Base Sepolia
3. Retry with `X-PAYMENT` header
4. Receive the security check results
---
## Use Cases
- **Password rotation agents** — Check if proposed passwords are in breach databases before setting them
- **Email onboarding** — Verify new user emails aren't from heavily breached domains
- **URL safety gates** — Screen links before agents click or users visit them
- **IP allowlisting** — Verify IPs aren't Tor exits, proxies, or blacklisted
- **Security audits** — Full-scan an organization's domain, IPs, and common passwords in one call
---
## Source & Links
- **Live API:** https://shield.vainplex.dev/api/health
- **Source:** https://github.com/alberthild/shieldapi *(coming soon)*
- **Protocol:** https://x402.org
- **Data:** HIBP (CC-BY), PhishTank, URLhaus (abuse.ch), Spamhaus