HeyTraders Quant Skills
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This is a clearly disclosed trading skill, but it can connect an agent to exchange accounts and place live trades, which is high-impact and not fully bounded in the reviewed artifact.
This skill appears purpose-aligned rather than malicious, but it handles real trading authority. Before using it, verify the HeyTraders service, start with research or read-only access, enable trade scope only when you are ready for live orders, require manual confirmation for every trade, and revoke the claimed agent when you no longer need it.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If trade permission is granted, the agent could place or cancel real orders on linked accounts, potentially causing financial loss.
Live order placement and cancellation are high-impact financial actions. The reviewed artifact discloses the capability, but the visible instructions do not show per-trade confirmation requirements, order-size limits, or other containment controls.
| `trade` | Place and cancel live orders on linked exchange accounts |
Grant trade scope only if you intend to allow live trading, require explicit confirmation for each trade, use exchange-side limits where possible, and start with small or isolated accounts.
A claimed agent may be able to view balances and positions, and if trade scope is enabled, act on linked exchange accounts.
The skill can become linked to a user account that has exchange accounts attached. This is purpose-aligned for trading, but it is privileged delegated account access with significant user impact.
> **Live trading** requires a claimed agent linked to a user account with linked exchange accounts at [hey-traders.com](https://hey-traders.com/dashboard/settings/exchanges).
Use the minimum scope needed, avoid enabling trade unless necessary, review which exchange accounts are linked, and revoke the agent or API key when finished.
A claimed agent may remain associated with your account after the immediate task is complete.
The artifact describes an agent lifecycle where provisional keys expire, but claimed agents can exist within the user's account. This is disclosed, but users should treat it as persistent delegated access.
Provisional keys are automatically deleted after 24 hours if not claimed. ... Max 10 claimed agents per user account.
Periodically review claimed agents in the HeyTraders dashboard and remove any you no longer use.