shieldapi

ShieldAPI — x402 Security Intelligence for AI Agents. 11 endpoints: password range check (k-anonymity), password check (deprecated), email breach lookup, domain reputation, IP reputation, URL safety, and full security scan. Pay-per-request with USDC micropayments ($0.001-$0.01). No account, no API key. Demo mode available.

3,891 stars

byopenclaw

View on GitHub Installation ↓

Best use case

shieldapi is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Teams using shieldapi should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

You only need a quick one-off answer and do not need a reusable workflow.
You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/shieldapi/SKILL.md --create-dirs "https://raw.githubusercontent.com/openclaw/skills/main/skills/alberthild/shieldapi/SKILL.md"

Manual Installation

Download SKILL.md from GitHub
Place it in .claude/skills/shieldapi/SKILL.md inside your project
Restart your AI agent — it will auto-discover the skill

How shieldapi Compares

Feature / Agent	shieldapi	Standard Approach
Platform Support	Not specified	Limited / Varies
Context Awareness	High	Baseline
Installation Complexity	Unknown	N/A

Frequently Asked Questions

What does this skill do?

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

Related Guides

AI Agents for Marketing

Discover AI agents for marketing workflows, from SEO and content production to campaign research, outreach, and analytics.

Best AI Agents for Marketing

A curated list of the best AI agents and skills for marketing teams focused on SEO, content systems, outreach, and campaign execution.

Best AI Skills for Claude

Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.

SKILL.md Source

# 🛡️ ShieldAPI — Security Intelligence for AI Agents

**Data & Threat Intelligence Manifesto / Privacy Policy:**  
https://shield.vainplex.dev/privacy.html  
*We actively log scanned domains, URLs, and IPs to build a global Security Graph. We do not store PII. Every scan makes the whole network safer.*

ShieldAPI is a pay-per-request Security Intelligence Service built on the **x402** protocol (HTTP 402 Payment Required). It lets any AI agent perform comprehensive security checks — without accounts, API keys, or subscriptions. Just call, pay, get results.

Payments are settled in USDC on **Base Mainnet**. All endpoints support free demo mode.

**Base URL:** `https://shield.vainplex.dev/api`
**Health/Discovery:** `GET /api/health` (free, lists all endpoints + prices)

---

## 🔒 Security & Privacy (Agent Guidelines)

**1. Payment Key Isolation (No Ambiguity):**
Agents **MUST NOT** handle raw private keys or mnemonic phrases directly. Payment signing must be delegated to a secure signer module (e.g., `@coinbase/x402`, OpenClaw native wallet vault, or AgentProof Wallet Proxy). The `X-PAYMENT` header is generated out-of-band by the secure enclave.

**2. Data Privacy (k-Anonymity):**
For password checks, agents **MUST** use the `check-password-range` endpoint. Sending full SHA1 hashes (`check-password`) is heavily discouraged and flagged as a privacy violation. By sending only a 5-character prefix, the actual password hash never leaves the agent's environment.

**3. Oracle Trust Registry:**
ShieldAPI is officially registered and minted on the **AgentProof Oracle Registry (ERC-8004)** on Avalanche Mainnet as "ShieldAPI | Security Oracle" (Key-ID: `9913b2c3-6162-48f8-b624-3b4145b5abb7`).

---

## The 11 Endpoints

### 1. `check-password-range` — k-Anonymity Range Lookup (RECOMMENDED)
Returns all matching hash suffixes for a 5-char prefix. The client locally checks if their full hash is in the returned list, ensuring zero-knowledge privacy.
- **Cost:** 0.001 USDC
- **Request:** `GET /api/check-password-range?prefix=<5-char-sha1-prefix>`
- **Returns:** `{ prefix, total_matches, results: [{ suffix, count }] }`

### 2. `check-password` — Full Password Breach Check (⚠️ DEPRECATED)
Checks a full SHA1 hash against 900M+ leaked passwords. *Warning: Do not use for user data. Use range check instead.*
- **Cost:** 0.001 USDC
- **Request:** `GET /api/check-password?hash=<40-char-sha1>`
- **Returns:** `{ found: true/false, count: 3861493 }`

### 3. `check-domain` — Domain Reputation
Checks DNS records, SPF/DMARC, SSL certificate, and queries Spamhaus/SpamCop/SORBS blacklists.
- **Cost:** 0.003 USDC
- **Request:** `GET /api/check-domain?domain=<domain>`
- **Returns:** `{ domain, dns, blacklists, ssl, risk_score, risk_level }`

### 4. `check-ip` — IP Reputation
Checks IPv4 against 4 blacklists, detects Tor exit nodes, resolves reverse DNS.
- **Cost:** 0.002 USDC
- **Request:** `GET /api/check-ip?ip=<ipv4>`
- **Returns:** `{ ip, blacklists, is_tor_exit, reverse_dns, risk_score, risk_level }`

### 5. `check-email` — Email Breach Exposure
Checks which data breaches affected the email's domain. Returns breach details, exposed data types, and risk recommendations.
- **Cost:** 0.005 USDC
- **Request:** `GET /api/check-email?email=<email>`
- **Returns:** `{ breaches: [...], domain_breach_count, risk_score, risk_level, recommendations }`

### 6. `check-url` — URL Safety & Phishing Detection
Checks URL against URLhaus malware database, runs heuristic analysis (brand impersonation, suspicious TLDs, redirect chains).
- **Cost:** 0.003 USDC
- **Request:** `GET /api/check-url?url=<url>`
- **Returns:** `{ url, checks: { urlhaus, heuristics, http }, threats, risk_score, risk_level }`

### 7. `full-scan` — Combined Security Scan
Runs all applicable checks in parallel. Pass any combination of inputs.
- **Cost:** 0.01 USDC
- **Request:** `GET /api/full-scan?email=<email>&domain=<domain>&ip=<ip>&url=<url>`
- **Returns:** Combined results with overall risk score and human-readable summary

### 8. `scan-skill` — AI Skill Security Scanner
Runs supply chain security checks (8 categories) against agent skills/plugins.
- **Cost:** 0.02 USDC
- **Request:** `GET /api/scan-skill?url=<url>`

### 9. `check-prompt` — Prompt Injection Detection
Analyzes prompts against 200+ known prompt injection patterns (<100ms).
- **Cost:** 0.005 USDC
- **Request:** `GET /api/check-prompt?text=<prompt-text>`

### 10. `check-mcp-trust` — MCP Server Trust Score
Multi-signal security, reliability & supply chain analysis for MCP servers.
- **Cost:** 0.02 USDC
- **Request:** `GET /api/check-mcp-trust?pkg=<pkg>`

### 11. `check-package` — Supply Chain Pre-Flight Check
Validates software packages before installation.
- **Cost:** 0.01 USDC
- **Request:** `GET /api/check-package?name=<pkg-name>`

---

## Demo Mode

All 11 endpoints support `?demo=true` — returns realistic fake data, no payment required. Perfect for testing your integration before going live.

```bash
# Try it now:
curl -s "https://shield.vainplex.dev/api/check-url?demo=true"
curl -s "https://shield.vainplex.dev/api/full-scan?demo=true"
curl -s "https://shield.vainplex.dev/api/check-email?demo=true"
```

---

## x402 Payment Flow

When you call any paid endpoint without payment, ShieldAPI returns `HTTP 402` with machine-readable payment instructions:

```json
{
  "x402Version": 1,
  "error": "X-PAYMENT header is required",
  "accepts": [{
    "scheme": "exact",
    "network": "base",
    "maxAmountRequired": "3000",
    "asset": "0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913",
    "payTo": "0x...",
    "resource": "https://shield.vainplex.dev/api/check-domain?domain=example.com",
    "description": "Domain reputation & security check"
  }]
}
```

An x402-enabled client (using `@coinbase/x402`, `@x402/core`, or an Agent native wallet) will:
1. Read the 402 response
2. Delegate the USDC signature to a secure enclave/wallet on Base Sepolia/Mainnet
3. Retry with `X-PAYMENT` header containing the signed payload
4. Receive the security check results

---

## Source & Links

- **Live API:** https://shield.vainplex.dev/api/health
- **AgentProof Oracle ID:** `9913b2c3-6162-48f8-b624-3b4145b5abb7` (ERC-8004 Avalanche)
- **Protocol:** https://x402.org
- **Data:** HIBP (CC-BY), PhishTank, URLhaus (abuse.ch), Spamhaus

Related Skills

---

3891

from openclaw/skills

name: article-factory-wechat

Content & Documentation

humanizer

3891

from openclaw/skills

Remove signs of AI-generated writing from text. Use when editing or reviewing text to make it sound more natural and human-written. Based on Wikipedia's comprehensive "Signs of AI writing" guide. Detects and fixes patterns including: inflated symbolism, promotional language, superficial -ing analyses, vague attributions, em dash overuse, rule of three, AI vocabulary words, negative parallelisms, and excessive conjunctive phrases.

Content & Documentation

find-skills

3891

from openclaw/skills

Helps users discover and install agent skills when they ask questions like "how do I do X", "find a skill for X", "is there a skill that can...", or express interest in extending capabilities. This skill should be used when the user is looking for functionality that might exist as an installable skill.

General Utilities

tavily-search

3891

from openclaw/skills

Use Tavily API for real-time web search and content extraction. Use when: user needs real-time web search results, research, or current information from the web. Requires Tavily API key.

Data & Research

baidu-search

3891

from openclaw/skills

Search the web using Baidu AI Search Engine (BDSE). Use for live information, documentation, or research topics.

Data & Research

agent-autonomy-kit

3891

from openclaw/skills

Stop waiting for prompts. Keep working.

Workflow & Productivity

Meeting Prep

3891

from openclaw/skills

Never walk into a meeting unprepared again. Your agent researches all attendees before calendar events—pulling LinkedIn profiles, recent company news, mutual connections, and conversation starters. Generates a briefing doc with talking points, icebreakers, and context so you show up informed and confident. Triggered automatically before meetings or on-demand. Configure research depth, advance timing, and output format. Walking into meetings blind is amateur hour—missed connections, generic small talk, zero leverage. Use when setting up meeting intelligence, researching specific attendees, generating pre-meeting briefs, or automating your prep workflow.

Workflow & Productivity

self-improvement

3891

from openclaw/skills

Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Claude ('No, that's wrong...', 'Actually...'), (3) User requests a capability that doesn't exist, (4) An external API or tool fails, (5) Claude realizes its knowledge is outdated or incorrect, (6) A better approach is discovered for a recurring task. Also review learnings before major tasks.

Agent Intelligence & Learning

botlearn-healthcheck

3891

from openclaw/skills

botlearn-healthcheck — BotLearn autonomous health inspector for OpenClaw instances across 5 domains (hardware, config, security, skills, autonomy); triggers on system check, health report, diagnostics, or scheduled heartbeat inspection.

DevOps & Infrastructure