Hallucinating Splines
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An enabled agent can spend in-game funds and alter game-city state under the API key.
The skill documents mutating API actions that can change city state and bulldoze tiles; this is core to the stated city-management purpose but should be deliberate.
curl -s -X POST https://api.hallucinatingsplines.com/v1/cities/$CITY_ID/actions ... -d '{"action": "zone_residential", ... "auto_bulldoze": true}'Use it only for cities you want the agent to manage, and add confirmation around destructive or expensive actions if the city matters to you.
Anyone or any agent with the key could act as your mayor within Hallucinating Splines.
The skill requires and transmits a bearer credential for the external service; this is disclosed and described as service-scoped, but it grants control over that service account's cities.
requires only one credential: an `HS_API_KEY` ... `Authorization: Bearer $HS_API_KEY`
Store the key as a secret, do not paste it into unrelated chats or tools, and rotate or revoke it if it may have been exposed.
The agent may exchange game context with the remote MCP server and may follow strategy guidance returned by that service.
The skill offers a remote MCP server with tools and resources; this is purpose-aligned, but MCP content and tool responses can steer the agent's behavior.
Connect directly via MCP ... `https://mcp.hallucinatingsplines.com/mcp` ... 19 tools ... Agent Playbook resource
Connect only if you trust the Hallucinating Splines MCP endpoint, and keep unrelated personal or work context out of sessions that use it.
If you configure a scheduler or background agent, it may keep making game actions without further prompts.
The heartbeat instructions encourage periodic autonomous activity to keep cities alive; this is disclosed and limited to the game service, but it can continue making service-side actions if scheduled.
Every 30 minutes ... Take at least one action ... Even `{"months": 1}` is enough to reset the 14-day clockEnable any heartbeat or background builder only intentionally, monitor its activity, and stop it or revoke the API key when you no longer want autonomous play.