Hedy
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent with this key can access the Hedy API permissions associated with it.
The skill uses a bearer API key for the user's Hedy account; this is expected for the integration but grants delegated account access.
Every request requires: Authorization: Bearer {HEDY_API_KEY}Use a revocable or least-privileged Hedy API key if available, keep it out of chat/output/logs, and rotate it if exposed.
The agent may process sensitive meeting content, summaries, decisions, and todos when you ask it to use this skill.
The skill retrieves meeting transcripts and AI-generated meeting outputs, which may contain confidential business or personal information and will enter the agent's working context.
Full session detail including transcript, AI outputs, highlights, and todos.
Only use it for meetings you are comfortable exposing to the agent session, and avoid requesting broad transcript retrieval unless needed.
If asked to make changes, the agent could alter Hedy organizational settings or webhook configuration rather than only reading meeting data.
The skill includes Hedy account-management capabilities, including webhook-related operations; this is disclosed and purpose-aligned but can have persistent account effects.
Manage topics, session contexts, and webhooks.
Review and explicitly approve any topic, context, or webhook changes, especially anything that sends data to external URLs.