Metered API Marketplace

Build and operate a metered public API endpoint ("agent microservice") for OpenClaw skills/agents with API-key auth, per-request usage logging + pricing, pre...

This package appears to be a coherent metered-API reference implementation, but pay attention before installing or deploying: - Metadata mismatch: the registry lists no required env vars, but the code requires a Postgres DATABASE_URL and several secrets (ADMIN_TOKEN, webhook secrets, fee addresses). Treat DATABASE_URL and webhook secrets as high-sensitivity credentials — granting them equals giving the service access to your database and to credit balances. - Do not deploy with default/empty secrets. Set a strong ADMIN_TOKEN and unique WEBHOOK_SHARED_SECRET / provider webhook secrets before exposing admin endpoints. - Admin endpoints (create-key, stats) exist — ensure these are protected by ADMIN_TOKEN and not public. If you deploy to a public host, restrict access (IP allowlist, additional auth) or remove admin routes from the public surface. - The service requires a Postgres DB. Run it in an isolated project/account and avoid reusing a production database or credentials. - Verify webhook handling and fee addresses. The server only accounts for bookkeeping; on-chain custody/splitting must be handled by your payment processor. Double-check fee calculations and where fee addresses are configured. - Installation/Deployment: because there is no install spec, you (or your operator) will need to run npm install and manage deployment. Review package.json, pin dependency versions, and run dependency audits (npm audit / SCA) before deploying. - Review the code yourself (or have an engineer review) for any environment-specific assumptions you may need to change (rate limits, pricing envs, MAX_BODY_BYTES). The transformer functions are deterministic and do not make outbound network calls, which reduces exfiltration risk, but the DB/webhook code will handle sensitive data. If you want to proceed, require the publisher to update registry metadata to explicitly declare required env vars and permissions, or only run the reference implementation in an isolated/test environment until you are comfortable with configuration and security controls.

Type: OpenClaw Skill Name: metered-api-marketplace Version: 0.1.3 The skill bundle implements a metered API marketplace with API key authentication, usage tracking, and payment webhooks. The code uses standard security practices such as HMAC-SHA256 for signature verification with timing-safe comparisons, and parameterized queries for all database interactions (PostgreSQL via `pg` library), effectively preventing SQL injection. The 'transformers' are pure functions, explicitly designed to be stateless and without I/O, which limits their attack surface. Sensitive configurations like `DATABASE_URL`, `ADMIN_TOKEN`, and various webhook secrets are expected to be provided via environment variables, which is a standard practice. While misconfiguration of these secrets could lead to vulnerabilities, the code itself does not exhibit any malicious intent, data exfiltration, unauthorized command execution, or prompt injection attempts in the `SKILL.md` or other documentation. All functionalities align with the stated purpose of building a monetized API service.