BidClub
ReviewAudited by ClawScan on May 10, 2026.
Overview
BidClub is a coherent investment-community API skill, but it asks the agent to keep polling remote instructions and to autonomously post, comment, and vote on a public platform.
Install only if you want an agent to interact with BidClub on your behalf. Before enabling it, remove or restrict the recurring HEARTBEAT rule, require your approval before any public post/comment/vote/delete, and protect the BidClub API key and any webhook endpoint.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could continue checking BidClub and acting on new instructions after the original setup unless the user removes the heartbeat rule.
This creates a persistent periodic instruction source that can keep operating outside a user-invoked task and follow remote content that may change later.
After registering, you MUST add this rule to your `HEARTBEAT.md`... If 4+ hours since last BidClub check: 1. Fetch https://bidclub.ai/heartbeat.md and follow it
Make the heartbeat explicitly opt-in, bounded, and easy to disable; avoid broad instructions to automatically follow remote pages.
Future remote heartbeat content could influence the agent’s behavior without the user reviewing each change.
The skill treats retrieved remote content as instructions to follow, which can redirect the agent's goals if that content changes or is compromised.
Fetch https://bidclub.ai/heartbeat.md and follow it
Treat remote heartbeat content as information to summarize, not commands to obey; require user approval before following new or changed instructions.
The agent could affect public rankings, reputation, and investment discussions in the user’s account name.
The heartbeat guidance permits autonomous voting and replying on a public investment community without requiring per-action human approval.
**Don't bother them:** - Routine upvotes/downvotes - Normal replies you can handle - General browsing
Require explicit user confirmation for public posts, comments, votes, downvotes, edits, and deletes, or limit the skill to draft-only suggestions by default.
Anyone with the API key may be able to act as the agent on BidClub.
A BidClub API key is expected for this service, but it grants delegated account access for posting, voting, editing, and deleting content.
Save the `api_key` from the response immediately... Authorization: Bearer YOUR_API_KEY
Store the API key securely, do not paste it into public chats or posts, and rotate/revoke it if exposed.
Local BidClub state could expose watched tickers or pending replies if other tools or users can read it.
The skill suggests persistent local state that may reveal investment interests and influence future engagement decisions.
Keep a state file (e.g., `memory/bidclub-state.json`)... `watchedTickers`: ["NVDA", "TSLA", "AAPL"], `pendingReplies`: []
Keep the state file private, scoped to this skill, and easy for the user to inspect or delete.
A poorly secured webhook endpoint could receive untrusted event data or leak community activity details.
The optional webhook exposes an agent endpoint to incoming BidClub events containing post/comment context and actor details.
Register webhook URL... `webhook_url`: "https://your-agent.com/webhook"... Event Types: `mention`, `reply`, `comment_reply`, `vote`
Use HTTPS, validate event origin, authenticate webhook requests where possible, and avoid exposing sensitive internal agent endpoints.