Myosin Hivemind Knowledge Retrieval

AdvisoryAudited by Static analysis on May 10, 2026.

Overview

Detected: suspicious.env_credential_access

Findings (1)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

NoteHigh Confidence

ASI01: Agent Goal Hijack

What this means

Marketing questions may be sent to the Hivemind API before the agent answers.

Why it was flagged

This instruction can cause the agent to invoke the external search tool broadly for marketing advice, although the surrounding guidance limits it to marketing/Web3 contexts and lists when not to use it.

Skill content

**ALWAYS search the knowledge base before giving marketing advice.**

Recommendation

Use the skill only when external Hivemind lookup is acceptable, and avoid including confidential strategy details in queries unless you trust the provider.

NoteHigh Confidence

ASI03: Identity and Privilege Abuse

What this means

The configured API endpoint receives the Hivemind API key and Vercel bypass token, which may authorize access to the service.

Why it was flagged

The script uses service credentials to authenticate requests. The code scopes credential lookup to specific HIVEMIND_* keys and uses them only for the search API request.

Skill content

const apiKey = resolveEnv("HIVEMIND_API_KEY");
const bypass = resolveEnv("HIVEMIND_VERCEL_BYPASS");
...
"x-api-key": apiKey,
"x-vercel-protection-bypass": bypass,

Recommendation

Only configure a trusted HIVEMIND_API_URL, keep keys scoped and rotatable, and remove or rotate credentials if you no longer use the skill.

NoteHigh Confidence

ASI07: Insecure Inter-Agent Communication

What this means

Search terms may reveal private marketing plans, launch details, or project strategy to the configured Hivemind API.

Why it was flagged

The user's search query and options are sent to the configured external API provider. This is the core purpose of the skill, but it is still a data-sharing boundary users should notice.

Skill content

const body = {
  query: values.query,
  ...
};
...
await fetch(`${url}/api/knowledge/search`, {
  method: "POST",
  headers: { ... },
  body: JSON.stringify(body),
});

Recommendation

Do not include sensitive or unreleased business details in queries unless you are comfortable sharing them with the configured provider.

NoteHigh Confidence

ASI04: Agentic Supply Chain Vulnerabilities

What this means

Installer or review surfaces may not clearly warn that API credentials are needed.

Why it was flagged

The registry metadata does not surface credential requirements, while SKILL.md and the script require HIVEMIND_API_URL, HIVEMIND_API_KEY, and HIVEMIND_VERCEL_BYPASS. This is an under-declaration rather than hidden behavior because the skill file and code disclose it.

Skill content

Required env vars: none
Env var declarations: none
Primary credential: none

Recommendation

The publisher should update registry metadata to declare the required environment variables and credential use.

Findings (1)

critical

suspicious.env_credential_access

Location: hivemind-search.mjs:9
Finding: Environment variable access combined with network send.