Myosin Hivemind Knowledge Retrieval
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a legitimate Hivemind knowledge-base search skill, but it uses Hivemind API credentials and sends search queries to a configured external API.
Before installing, verify that the HIVEMIND_API_URL is the provider endpoint you intend to use, understand that your search queries will be sent there with your Hivemind credentials, and avoid entering confidential launch or marketing details unless you trust that service.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Marketing questions may be sent to the Hivemind API before the agent answers.
This instruction can cause the agent to invoke the external search tool broadly for marketing advice, although the surrounding guidance limits it to marketing/Web3 contexts and lists when not to use it.
**ALWAYS search the knowledge base before giving marketing advice.**
Use the skill only when external Hivemind lookup is acceptable, and avoid including confidential strategy details in queries unless you trust the provider.
The configured API endpoint receives the Hivemind API key and Vercel bypass token, which may authorize access to the service.
The script uses service credentials to authenticate requests. The code scopes credential lookup to specific HIVEMIND_* keys and uses them only for the search API request.
const apiKey = resolveEnv("HIVEMIND_API_KEY");
const bypass = resolveEnv("HIVEMIND_VERCEL_BYPASS");
...
"x-api-key": apiKey,
"x-vercel-protection-bypass": bypass,Only configure a trusted HIVEMIND_API_URL, keep keys scoped and rotatable, and remove or rotate credentials if you no longer use the skill.
Search terms may reveal private marketing plans, launch details, or project strategy to the configured Hivemind API.
The user's search query and options are sent to the configured external API provider. This is the core purpose of the skill, but it is still a data-sharing boundary users should notice.
const body = {
query: values.query,
...
};
...
await fetch(`${url}/api/knowledge/search`, {
method: "POST",
headers: { ... },
body: JSON.stringify(body),
});Do not include sensitive or unreleased business details in queries unless you are comfortable sharing them with the configured provider.
Installer or review surfaces may not clearly warn that API credentials are needed.
The registry metadata does not surface credential requirements, while SKILL.md and the script require HIVEMIND_API_URL, HIVEMIND_API_KEY, and HIVEMIND_VERCEL_BYPASS. This is an under-declaration rather than hidden behavior because the skill file and code disclose it.
Required env vars: none Env var declarations: none Primary credential: none
The publisher should update registry metadata to declare the required environment variables and credential use.