HiEnergy Advertiser Intelligence Affiliate Copilot
ReviewAudited by ClawScan on May 10, 2026.
Overview
This looks like a real HiEnergy API integration, but it can use your API key to change business contacts/publisher data and includes broad API request capability without clear confirmation safeguards.
Verify the publisher/source before supplying a HiEnergy API key. If you install it, prefer a least-privilege key, run it in an isolated Python environment, and require manual confirmation before any contact or publisher create/replace/update action. The provided source excerpt for the main client was truncated, so review the full source before enabling admin-level use.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent misinterprets a request or is given a vague prompt, it could alter HiEnergy publisher/contact records under the user's API key.
These are business/account-data mutation operations. The skill documents the routes but does not state that the agent must confirm the exact change with the user before creating, replacing, or updating records.
Publisher update → `update_publisher` (admin/publisher) - Contact create/replace → `create_contact`, `replace_contact` (admin/publisher)
Require explicit user confirmation before any create, replace, update, patch, or delete action, including the target record, exact fields, and whether the action is reversible.
A caller using the helper directly, or a future routing path, could perform broader account mutations than a user expects from the chat instructions.
The included API client has a generic host-scoped request helper that supports mutating and delete methods for arbitrary API paths under the HiEnergy API. This is broader than the documented endpoint-specific workflows and lacks an allowlist in the visible code.
ALLOWED_HTTP_METHODS = {"GET", "POST", "PUT", "PATCH", "DELETE"}
...
def _make_request(self, endpoint: str, method: str = 'GET', ...)Restrict the generic request helper to an allowlist of documented endpoints, remove DELETE unless needed, and add confirmation requirements for all non-GET requests.
Using this skill exposes HiEnergy account data to the agent's working context and lets the skill act with the permissions of the API key.
The skill clearly discloses that the API key delegates the user's HiEnergy account access, including potentially sensitive contact/status data.
Your API key gives access to the same data you can see in the HiEnergy web app. Pro users can see additional fields/data, especially around advertiser status and contacts.
Use the least-privileged HiEnergy API key available, avoid sharing admin keys unless needed, and rotate the key if it may have been exposed.
Installing dependencies pulls code from the Python package ecosystem into the local environment.
The setup depends on installing an external Python package version range rather than an exact lockfile. This is common and purpose-aligned, but users should be aware of the dependency install.
requests>=2.31.0,<3.0.0
Install in a virtual environment, use a trusted package index, and pin or lock dependencies for production use.