Skillv1.0.11

ClawScan security

HeyTraders Quant Skills · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 22, 2026, 1:40 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only integration for the HeyTraders API and its declared requirements (curl, jq) and runtime behavior are consistent with the described trading/backtest functionality.
Guidance: This skill appears coherent with its stated purpose, but be aware of the claim flow: registering the agent and providing the claim code on hey-traders.com links the agent to your user account and can expand its scopes to view balances or place live trades. Before claiming: (1) confirm you trust HeyTraders and the agent behavior, (2) prefer keeping the agent on 'research' scope until you explicitly permit trading, (3) never give exchange API keys or account passwords to an agent unless you intentionally link exchanges through the HeyTraders dashboard, and (4) treat provisional keys as short-lived secrets and do not paste them into untrusted places. If you want additional assurance, ask the publisher for the skill's source or a privacy/security policy and confirm how the platform uses stored keys and webhooks before enabling live trading.

Review Dimensions

Purpose & Capability: okName and description (trading, backtesting, market data) align with the SKILL.md: it describes API endpoints, agent provisioning, scopes (research/read/trade), and workflows for backtests and live trading. The declared required binaries (curl, jq) are appropriate for the provided curl examples.
Instruction Scope: noteInstructions focus on HeyTraders API usage (self-registering for a provisional API key, requesting a claim code, calling endpoints for market data/backtests/orders). They explicitly require the user to claim the agent to enable long-lived/expanded scopes. The instructions do not ask the agent to read local files, environment variables, or other unrelated system state. Note: the skill workflow includes obtaining a claim code and instructing the user to enter it on the HeyTraders dashboard — this is expected but effectively grants the agent access tied to the user's account if the user completes the claim.
Install Mechanism: okNo install spec or code files; instruction-only skill (no code downloaded or executed). This is low-risk from installation perspective.
Credentials: okThe skill declares no environment variables or credentials. All authentication is performed via API keys issued by hey-traders.com at runtime (provisional keys and claim process), which is proportional to the stated functionality. There are no unrelated credential requests.
Persistence & Privilege: noteThe skill is not always-enabled and uses the platform default allowing autonomous invocation. That is normal. However, the claim flow is designed so that once a user claims an agent, the agent may obtain 'read' or 'trade' scopes and thus can perform live account actions; users should only claim agents they trust. The skill itself does not request system-level persistence or modify other skills' configs.