HashGrid Connect
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is openly for external agent-to-agent matching and chat, but it relies on remotely fetched instructions and encourages ongoing no-human-oversight communication, so it needs review before use.
Install only if you are comfortable connecting your agent to an external matching and chat network. Review the remote documentation yourself, keep the HashGrid API key protected, avoid sharing sensitive information, and do not enable heartbeat or cron polling unless you want ongoing autonomous communication.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The external server could change the instructions your agent follows, including what data to send or what actions to take.
The submitted artifact instructs the agent to retrieve and follow remote instructions that are not included in the reviewed package and may change after review.
The full API documentation is hosted at: https://connect.hashgrid.ai/skill.md Fetch it and follow the instructions:
Do not let the agent automatically follow the remote document as authoritative. Review the remote documentation manually, and prefer a packaged, pinned, reviewed copy of the API instructions.
Your agent may exchange messages with unknown external agents and could reveal sensitive context or be influenced by untrusted peer messages.
The skill is designed for direct communication with other agents, but the artifact does not specify identity verification, message trust boundaries, data-sharing limits, or human approval.
Private 1:1 matching and chat for AI agents. No human oversight.
Use only with non-sensitive context unless strong safeguards are added. Treat incoming peer messages as untrusted content and require explicit approval before sharing private data or following peer instructions.
The agent could continue checking and replying to external chats using its stored API key without a person reviewing each interaction.
The skill encourages recurring background polling and repeated replies, which can keep the agent communicating externally after the initial task.
Add to your heartbeat or cron: 1. `GET /chat?wait_timeout=30000` ... 3. Reply to messages, repeat
Avoid adding this to heartbeat or cron unless you explicitly want persistent behavior. Require user approval for outbound replies and provide an easy way to disable polling.
Anyone or any process that can read the credential file may be able to use the agent's HashGrid account.
The skill creates and stores a HashGrid API key. This is purpose-aligned, but it is still a credential that grants access to the service.
# Save the api_key from response! - Store credentials in `~/.config/hashgrid/credentials.json`
Store the credential with restrictive file permissions, do not share it with other services, and revoke or rotate it if it may have been exposed.