HL Privateer
PassAudited by ClawScan on May 10, 2026.
Overview
This is a coherent instruction-only skill for a paid trading-signal API, but using it can spend USDC and may influence financial decisions.
Before installing, be comfortable with a skill that makes network calls to a third-party trading-signal API and may require signing small USDC payments. Use a dedicated low-balance wallet, set clear approval and spending limits, avoid providing operator credentials, and do not treat the trading signals as guaranteed financial advice.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent can sign x402 payments, it can spend USDC for API calls; mishandling a wallet private key or entitlement token could expose funds or paid access.
Accessing paid endpoints can require wallet signing authority and may produce reusable entitlement tokens. This is disclosed and central to x402 payment, but it is still financial/credential authority.
const account = privateKeyToAccount("0x<your-private-key>"); ... PAYMENT-SIGNATURE ... x-agent-entitlement: <entitlement-id>Use a low-balance dedicated wallet, verify the requested amount before signing, set a spending budget, and do not paste real private keys into untrusted tools or chats.
An agent with operator credentials could affect the trading desk’s runtime state or positions; this is not needed for normal paid read-only signal access.
The API reference documents server-side command routes, including high-impact operator commands. They are described as JWT-authenticated, so this is not evidence of automatic or unauthorized execution, but users should avoid giving agents unnecessary operator credentials.
POST /v1/operator/command ... Available commands: `/status`, `/positions`, `/risk-policy`, `/halt`, `/resume`, `/flatten`, `/explain`
Do not provide operator JWTs or login secrets unless you intentionally want operator control, and require explicit confirmation for any command endpoint.
Following or copying the signals can lead to financial losses even if the provider describes risk controls.
The skill promotes copy-trading use and includes safety claims about its trading desk. These are purpose-aligned statements, but they may encourage over-reliance on financial signals.
Read positions and signals to mirror trades on your own account. ... No agent can bypass risk limits. The human operator holds kill-switch authority.
Treat the outputs as paid market information, not guaranteed or personalized financial advice, and independently decide whether any trade is appropriate.