← Back to Skills Marketplace
Metered API Marketplace
by
Andrew Shingleton
· GitHub ↗
· v0.1.3
382
Downloads
0
Stars
0
Active Installs
4
Versions
Install in OpenClaw
/install metered-api-marketplace
Description
Build and operate a metered public API endpoint ("agent microservice") for OpenClaw skills/agents with API-key auth, per-request usage logging + pricing, pre...
Usage Guidance
This package appears to be a coherent metered-API reference implementation, but pay attention before installing or deploying:
- Metadata mismatch: the registry lists no required env vars, but the code requires a Postgres DATABASE_URL and several secrets (ADMIN_TOKEN, webhook secrets, fee addresses). Treat DATABASE_URL and webhook secrets as high-sensitivity credentials — granting them equals giving the service access to your database and to credit balances.
- Do not deploy with default/empty secrets. Set a strong ADMIN_TOKEN and unique WEBHOOK_SHARED_SECRET / provider webhook secrets before exposing admin endpoints.
- Admin endpoints (create-key, stats) exist — ensure these are protected by ADMIN_TOKEN and not public. If you deploy to a public host, restrict access (IP allowlist, additional auth) or remove admin routes from the public surface.
- The service requires a Postgres DB. Run it in an isolated project/account and avoid reusing a production database or credentials.
- Verify webhook handling and fee addresses. The server only accounts for bookkeeping; on-chain custody/splitting must be handled by your payment processor. Double-check fee calculations and where fee addresses are configured.
- Installation/Deployment: because there is no install spec, you (or your operator) will need to run npm install and manage deployment. Review package.json, pin dependency versions, and run dependency audits (npm audit / SCA) before deploying.
- Review the code yourself (or have an engineer review) for any environment-specific assumptions you may need to change (rate limits, pricing envs, MAX_BODY_BYTES). The transformer functions are deterministic and do not make outbound network calls, which reduces exfiltration risk, but the DB/webhook code will handle sensitive data.
If you want to proceed, require the publisher to update registry metadata to explicitly declare required env vars and permissions, or only run the reference implementation in an isolated/test environment until you are comfortable with configuration and security controls.
Capability Analysis
Type: OpenClaw Skill
Name: metered-api-marketplace
Version: 0.1.3
The skill bundle implements a metered API marketplace with API key authentication, usage tracking, and payment webhooks. The code uses standard security practices such as HMAC-SHA256 for signature verification with timing-safe comparisons, and parameterized queries for all database interactions (PostgreSQL via `pg` library), effectively preventing SQL injection. The 'transformers' are pure functions, explicitly designed to be stateless and without I/O, which limits their attack surface. Sensitive configurations like `DATABASE_URL`, `ADMIN_TOKEN`, and various webhook secrets are expected to be provided via environment variables, which is a standard practice. While misconfiguration of these secrets could lead to vulnerabilities, the code itself does not exhibit any malicious intent, data exfiltration, unauthorized command execution, or prompt injection attempts in the `SKILL.md` or other documentation. All functionalities align with the stated purpose of building a monetized API service.
Capability Assessment
Purpose & Capability
The name/description (metered public API with API-key auth, usage ledger, and payment webhooks) are consistent with the bundled server and Next.js reference code. However, the published metadata declares no required environment variables or credentials even though the code expects a Postgres DATABASE_URL, ADMIN_TOKEN, webhook secrets, fee addresses, and other env vars — a clear mismatch between stated registry requirements and actual runtime needs.
Instruction Scope
SKILL.md and the references document the expected workflow (pick transformer, run the server, create API keys, wire webhooks, deploy behind TLS). The runtime instructions and code operate within that advertised scope (authenticate signed API keys, check balances, deduct per-call cost, verify provider webhooks). The instructions do not direct the agent to read unrelated local system files or exfiltrate secrets, but they do require you to provide sensitive configuration (DB URL, webhook secrets, admin token).
Install Mechanism
There is no install spec in registry metadata (instruction-only), but the package contains runnable Node.js code (server and Next.js starter) that requires npm dependencies (next, pg, fastify, @fastify/rate-limit, etc.). This means the user/installer must run npm install / deploy themselves; nothing is downloaded from an untrusted URL, but the lack of an explicit install step in metadata is a usability/security gap (operators might not realize what will be required).
Credentials
Registry metadata lists no required env vars or credentials, yet the code and SKILL.md expect many sensitive env vars: DATABASE_URL (Postgres connection string), ADMIN_TOKEN, WEBHOOK_SHARED_SECRET, COINBASE_COMMERCE_WEBHOOK_SECRET, BTCPAY_WEBHOOK_SECRET, FEE_BPS, FEE_ETH_ADDRESS, FEE_BTC_ADDRESS, COST_CENTS_PER_CALL, MAX_BODY_BYTES, MAX_SKEW_MS, PORT/HOST, etc. Requesting a DB connection string and multiple webhook secrets is proportional for a hosted payments/ledger service, but the omission from metadata is an incoherence and a potential safety/permission model problem (user may not be warned up-front).
Persistence & Privilege
The skill does not request always:true, does not claim to modify other skills, and does not embed persistent platform-level privileges. It implements its own runtime server and DB records (api_keys, balances, usage, credits) which is normal for the stated purpose. Be aware running this creates a long-lived external service with its own credentials and webhooks.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install metered-api-marketplace - After installation, invoke the skill by name or use
/metered-api-marketplace - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.3
Add Coinbase Commerce + BTCPay webhook verification adapters (real top-ups), update Next.js starter env vars
v0.1.2
Vercel/Next.js starter with clean /v1 rewrites, added 12 conversion/math transformers, added admin stats endpoint, /bin/zsh.25 flat pricing
v0.1.1
Add Vercel/Next.js serverless starter + Supabase pooler guidance
v0.1.0
Postgres ledger, 12 deterministic transformers, /bin/zsh.25 flat pricing, agent integration prompt
Metadata
Frequently Asked Questions
What is Metered API Marketplace?
Build and operate a metered public API endpoint ("agent microservice") for OpenClaw skills/agents with API-key auth, per-request usage logging + pricing, pre... It is an AI Agent Skill for Claude Code / OpenClaw, with 382 downloads so far.
How do I install Metered API Marketplace?
Run "/install metered-api-marketplace" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Metered API Marketplace free?
Yes, Metered API Marketplace is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Metered API Marketplace support?
Metered API Marketplace is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Metered API Marketplace?
It is built and maintained by Andrew Shingleton (@arshingleton); the current version is v0.1.3.
More Skills