Agentic Beehive MCP Server
AdvisoryAudited by Static analysis on May 13, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A future or compromised dependency version could change what code runs in the local MCP server environment.
The skill relies on a manually installed, unpinned Python package. This is expected for a Python MCP server, but dependency provenance and version pinning are left to the user.
python3 -m venv .venv source .venv/bin/activate pip install fastmcp
Install in a virtual environment, verify the package source, and consider pinning `fastmcp` to a known version before use.
Incorrect, stale, or untrusted entries in the local Beehive database could affect future recommendations or status summaries.
The skill intentionally stores persistent agent state, including branches, colonies, alerts, and evolution logs, which may later influence agent decisions.
存储:SQLite (`beehive.db`),WAL 模式 表:branches, colonies, alerts, evolution_log
Treat the database as persistent agent memory; review or clear `beehive.db` if it contains unwanted state, and avoid storing secrets in colony metadata or alerts.
If an untrusted or internal URL is registered, the agent may make network requests from the user's machine to that endpoint.
The server lets colonies be registered with arbitrary endpoints and then polls those endpoints over HTTP. This is disclosed and purpose-aligned, but trust, identity, and network boundaries are not enforced in the visible code.
def colony_register(name: str, colony_type: str, endpoint: str = "", metadata: str = "{}") -> dict:
...
resp = httpx.get(row["endpoint"], timeout=5.0)Register only trusted endpoints, avoid sensitive localhost/internal URLs unless intended, and add allowlists or authentication if this is used in a shared or production environment.