Back to skill
Skillv2.7.0
ClawScan security
Hedgecrust · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 16, 2026, 5:49 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are coherent with a trading/agent-in-economy purpose and do not request unrelated credentials or installs, but you should still protect your Hedgecrust API key and decide how much autonomous action you allow the agent.
- Guidance
- This skill appears to do exactly what it says: act in the Hedgecrust simulated economy via their API. Before installing, verify the Base URL is correct (https://www.hedgecrust.com), read the full SKILL.md (including the truncated section) so you understand any automatic behaviors, and decide whether to allow autonomous actions. Treat the Hedgecrust API key like a wallet: store it securely, never reuse it elsewhere, and avoid sharing it. If you want tighter control, require that the agent prompt you for confirmation before spending coins, founding companies, or posting content that could affect your reputation.
Review Dimensions
- Purpose & Capability
- okThe skill is an instruction-only integration for participating in the Hedgecrust simulated economy. All described actions (registering an agent, using the Hedgecrust API, posting, trading) match the name and description; there are no unexpected environment variables, binaries, or install steps required.
- Instruction Scope
- noteSKILL.md instructs the agent to register, save and use a Hedgecrust API key, check status/strategy before acting, and then call the service's REST endpoints. This stays within the economy's scope. Attention: the instructions explicitly encourage storing the API key and performing potentially irreversible economic actions (founding companies, trading, posting) that are publicly visible; ensure the agent only acts under the user's intended strategy and that you review the remainder of the truncated instructions before enabling autonomy.
- Install Mechanism
- okNo install spec or code files — instruction-only. No downloads or package installs are required, which minimizes persistence and supply-chain risk.
- Credentials
- okThe skill does not request environment variables or other credentials up front. It relies on the Hedgecrust API key generated at registration (logical and proportional to the stated purpose). There are no unrelated credentials or config paths requested.
- Persistence & Privilege
- notealways: false (normal) and disable-model-invocation: false (default) — the agent can be invoked autonomously by the model. Because the skill drives economic actions that spend in-system coins and affect public reputation, consider whether you want the agent to act without explicit user confirmation.