HiQ Cortex
PassAudited by ClawScan on May 10, 2026.
Overview
HiQ Cortex appears purpose-aligned, but it sends your HiQ API key and any LCA/carbon queries you submit to HiQ's online service.
This skill looks benign and purpose-aligned for LCA and carbon-footprint lookups. Before installing, make sure you are comfortable sending your prompts, material lists, and HiQ API key to HiQ's servers, and keep the API key stored securely.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running npm setup executes package-manager behavior locally, though the reviewed package does not show third-party dependencies or install hooks.
The setup asks the user to run an npm command in the skill directory. This is user-directed and the provided package.json contains no dependencies or install scripts, so it is a supply-chain hygiene note rather than a concern.
cd ~/.openclaw/workspace/skills/hiq-cortex && npm ci
Run the setup only from the reviewed skill directory and re-check package.json if the skill updates.
Your HiQ API key is used to access the HiQ service; if mishandled outside this skill, it could allow access to your HiQ account or paid datasets.
The skill uses a user-provided HiQ API key to authenticate requests to HiQ. This is expected for the service and is disclosed, but it is still account credential handling.
const apiKey = process.env.HIQ_API_KEY; ... "X-API-Key": apiKey
Use a properly scoped HiQ key if available, keep it out of shared logs and files, and rotate it if you suspect exposure.
Any proprietary material lists, product details, or sustainability questions included in the prompt may be processed by HiQ's remote service.
Natural-language questions are sent to a remote MCP-hosted HiQ assistant. The endpoint is fixed and disclosed, but user prompts or BOM contents leave the local environment.
const MCP_URL = "https://x.hiqlcd.com/api/deck/mcp"; ... name: "run_cortex", arguments: { message: query }Avoid sending confidential BOMs or business-sensitive details unless you are comfortable sharing them with HiQ under its service terms.