Hedy
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only Hedy API skill is coherent, but it grants the agent access to sensitive meeting records and some Hedy account-management features through your API key.
Install this skill if you want OpenClaw to access your Hedy meeting data. Before using it, confirm the region is correct, protect the Hedy API key, and be deliberate about requests that retrieve many transcripts or change topics, contexts, or webhooks.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent with this key can access the Hedy API permissions associated with it.
The skill uses a bearer API key for the user's Hedy account; this is expected for the integration but grants delegated account access.
Every request requires: Authorization: Bearer {HEDY_API_KEY}Use a revocable or least-privileged Hedy API key if available, keep it out of chat/output/logs, and rotate it if exposed.
The agent may process sensitive meeting content, summaries, decisions, and todos when you ask it to use this skill.
The skill retrieves meeting transcripts and AI-generated meeting outputs, which may contain confidential business or personal information and will enter the agent's working context.
Full session detail including transcript, AI outputs, highlights, and todos.
Only use it for meetings you are comfortable exposing to the agent session, and avoid requesting broad transcript retrieval unless needed.
If asked to make changes, the agent could alter Hedy organizational settings or webhook configuration rather than only reading meeting data.
The skill includes Hedy account-management capabilities, including webhook-related operations; this is disclosed and purpose-aligned but can have persistent account effects.
Manage topics, session contexts, and webhooks.
Review and explicitly approve any topic, context, or webhook changes, especially anything that sends data to external URLs.