Hivebrite By Altf1be
Security checks across malware telemetry and agentic risk
Overview
This appears to be a legitimate Hivebrite admin CLI, but it grants broad live admin access and stores OAuth tokens locally, so it should be used carefully.
Install this only if you intend to let the agent operate a Hivebrite Admin API account. Use a dedicated least-privileged token if possible, review every create/update/delete/send action before execution, and manage the local OAuth token cache under ~/.cache/openclaw/hivebrite-token.json.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with admin credentials, the skill can change community records or send messages through the Hivebrite account.
The skill exposes live admin actions, including data mutation and email campaign sending. This matches the stated Admin API purpose, but the operations are high-impact.
Full Hivebrite Admin API CLI covering users, companies, events, groups, donations, memberships, emailings... node {baseDir}/scripts/hivebrite.mjs emailings campaigns send --id 20Use it only with explicit user approval for mutating or messaging actions, and prefer least-privileged credentials where Hivebrite supports them.
Anyone or any agent with access to these credentials can act with significant Hivebrite admin privileges.
The OAuth flow uses admin-scoped Hivebrite credentials, which is expected for a full Admin API CLI but grants broad delegated authority.
const body = { client_id: clientId, client_secret: clientSecret, scope: 'admin' }; ... body.admin_email = env('HIVEBRITE_ADMIN_EMAIL'); body.password = env('HIVEBRITE_ADMIN_PASSWORD');Protect the environment variables, avoid sharing logs or shells containing them, and use a dedicated limited admin account/token if possible.
The token may remain on disk after use and could be reused by anyone with local access to that file.
The skill persists OAuth tokens, including a refresh token when available, in a local cache file for future runs.
const OAUTH_TOKEN_PATH = resolve(homedir(), '.cache', 'openclaw', 'hivebrite-token.json'); ... writeFileSync(OAUTH_TOKEN_PATH, JSON.stringify({ access_token: _cachedAccessToken, refresh_token: data.refresh_token || process.env.HIVEBRITE_REFRESH_TOKEN || null, expires_at: _tokenExpiresAt, })Ensure the cache directory is protected, delete the cache file when access should be revoked, and rotate Hivebrite tokens if the machine is shared or compromised.