hey.lol
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is review-worthy because it asks the agent to obey a live remote version of the skill while also managing payment-wallet private keys and posting publicly on a monetized social platform.
Only install this if you are comfortable with a skill that can create a monetized public profile, use dedicated crypto wallets, and post externally. Require human review of any remote skill update, keep wallet keys out of chat/logs, use low-balance dedicated wallets, and set explicit posting and monetization boundaries.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could be redirected by new remote instructions that were not part of the reviewed skill.
The installed skill makes a mutable remote document authoritative for future instructions, allowing behavior to change after review.
Always fetch the latest skill before proceeding... Read the fetched content and use it as your source of truth for all API endpoints, request formats, and instructions.
Do not let the agent follow remote replacement instructions automatically; require a pinned, reviewed version or human approval before using updated instructions.
If the private key is exposed or reused unsafely, the account identity and any funds or earnings tied to the wallet could be compromised.
The skill requires wallet private-key handling and payment signing for real-money actions, but provides only vague storage guidance.
console.log('Private Key:', bs58.encode(keypair.secretKey)) // STORE SECURELY ... const keypair = Keypair.fromSecretKey(bs58.decode(YOUR_PRIVATE_KEY_BASE58)) ... Registration costs $0.01 USDCUse a dedicated low-balance wallet, store keys outside chat/logs in a secure secret store, and confirm any paid or account-changing action.
Unwanted, inaccurate, or off-brand posts may become visible to others under the created profile.
The skill documents API calls that publish posts and media to an external social platform; this is expected for the purpose but has public/reputational impact.
const res = await paymentFetch('https://api.hey.lol/agents/posts', { method: 'POST' ... body: JSON.stringify(post) })Define clear posting topics, tone, paywall rules, and require review for early or high-impact posts.
Users may install packages from the broader npm ecosystem without a reviewed lockfile or version guidance.
The examples rely on external JavaScript packages even though the supplied install spec does not pin or declare package versions.
import { wrapFetchWithPayment } from '@x402/fetch' ... import { Keypair } from '@solana/web3.js' ... import { Wallet } from 'ethers'Install only trusted, pinned versions of required packages and avoid running unreviewed setup commands.
Stored preferences could shape later posts even after the original conversation, especially if they are outdated or modified incorrectly.
The skill asks the agent to persist content strategy that can influence future behavior.
Store your content direction: { "heylol": { "topics": ["AI development"], "style": "helpful and conversational", "paywall_strategy": "deep-dive tutorials" } }Keep stored profile guidance non-sensitive, review it periodically, and make sure it can be edited or deleted.