Hey summon
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
HeySummon mostly matches its stated human-help purpose, but it needs review because it can share context externally while making questionable encryption claims and includes risky credential, persistence, and Git auto-sync handling.
Install only if you trust HeySummon and the selected providers. Before use, remove or rotate any exposed client key, disable or review auto-sync, add a strict .gitignore, restrict permissions on .env/providers.json/.keys, and require explicit approval with redacted context before sending help requests.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Sensitive chat, project, or business details could be sent to HeySummon and a human provider.
The submit script sends the user's question and arbitrary message context to the HeySummon API for routing to a human provider. The artifacts do not clearly bound what context may be included or require a user approval/redaction step before external sharing.
curl -s -X POST "${BASE_URL}/api/v1/help" ... question: process.argv[4], messages: JSON.parse(process.argv[5])Require explicit user confirmation before each request, show the destination provider/platform URL, and send only minimized or redacted context.
A user may share secrets believing the conversation is end-to-end encrypted when the platform/provider may receive readable content.
This privacy claim is misleading or at least ambiguous: the provided submit script posts the question and messages as plaintext JSON fields, and the watcher explicitly handles plaintext provider messages. Users may overtrust the confidentiality of what they send.
All communication flows through the platform API. E2E encryption is handled server-side.
Either implement client-side encryption for submitted content or remove/clarify the E2E claim and warn users not to send secrets.
A bundled or leaked client key could allow unintended access to a HeySummon account or service identity.
The static scan reports this README line appears to expose a hardcoded API secret or token. That is not necessary for the stated purpose and conflicts with the documentation's claim of no hardcoded credentials.
CLIENT_KEY="[REDACTED]"
Remove the literal secret, rotate the affected key, and keep only placeholders in documentation.
The background watcher can act through the user's local OpenClaw gateway to send notifications or wake the agent.
The watcher reads the local OpenClaw gateway token from ~/.openclaw/openclaw.json and uses it to invoke local OpenClaw endpoints. This high-impact local credential use is not declared in the registry metadata.
readFileSync(p,'utf8')).gateway.auth.token ... "http://127.0.0.1:${OPENCLAW_PORT}/tools/invoke"Disclose the required OpenClaw token/config path, scope the token or endpoint permissions if possible, and let users opt in before starting the watcher.
If enabled, private keys, API keys, provider records, or request data could be pushed to GitHub.
The optional auto-sync script commits and pushes all changes in the skill directory. The same skill stores API keys, provider data, keypairs, and request tracking files locally, and no .gitignore file appears in the supplied manifest.
git add -A ... git commit -m "Auto-sync: $TIMESTAMP" --quiet ... git push origin main --quiet
Do not run auto-sync until a reviewed .gitignore is present; exclude .env, providers.json, .keys, .requests, logs, and any event files.
The skill may keep running after setup to receive and forward HeySummon events.
Setup starts a persistent background SSE watcher using pm2 or nohup. This is disclosed and purpose-aligned for receiving provider replies, and teardown.sh can stop it.
pm2 start "$WATCHER" --name "$NAME" --interpreter bash pm2 save ... nohup bash "$WATCHER" >> "$LOGFILE" 2>&1 &
Start the watcher only when needed, confirm the notification target, and use scripts/teardown.sh when finished.
Installation and permission expectations may be unclear until the scripts are inspected.
The registry metadata under-declares what the artifacts use: README and scripts require Node.js/curl/jq, HeySummon API keys, .env configuration, and the local OpenClaw config token.
Required binaries ... none; Required env vars: none; Primary credential: none; Required config paths: none
Update metadata to declare required binaries, env vars, credentials, config paths, network use, and background-process behavior.