Agentic Beehive
SuspiciousAudited by ClawScan on May 13, 2026.
Overview
The skill is mostly an instruction-only agent workflow, but its composing branch embeds credential-like API/JWT values and depends on private AutoGen resources that are not declared or reviewable.
Review this skill before installing or invoking the composing branch. Remove or rotate any real keys, replace embedded credentials with your own scoped credentials, inspect the referenced AutoGen MCP script and database before use, and avoid enabling live trading or long-running agent workflows without explicit approvals and clear data-retention rules.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could try to use embedded or publisher-specific credentials, potentially affecting someone else's provider account, billing, or AutoGen session.
The skill text contains credential-like provider API keys and a JWT-like AutoGen token, but the metadata declares no credentials. Even if partially redacted, this is high-impact account/session authority that is not scoped or user-supplied.
API Key: `sk-a94a…8ce3` ... API Key: `sk-cp-…I35Y` ... TOKEN = "eyJhbG…tpzo" # AutoGen Studio JWT
Remove embedded secrets, rotate any real exposed keys, declare required credentials explicitly, and require users to provide their own scoped credentials through environment variables or a secure credential flow.
If invoked, the agent may rely on local code and database state whose contents, permissions, and side effects are unknown to the installing user.
The skill depends on a local AutoGen database and MCP helper script that are not included in the package or install specification, leaving the referenced runtime behavior and provenance unreviewable.
数据库 | `/home/hongliang/.autogenstudio/*.db` ... MCP脚本 | `/home/hongliang/.openclaw/workspace/autogen/mcp_autogen_studio_v2.py`
Include the referenced helper code in the package or remove the dependency; document exact installation, versioning, permissions, and data flow before users invoke the composing branch.
Prompts or files provided to the composing workflow could be sent through a multi-agent system and external model providers under unclear account and data-boundary assumptions.
The composing branch routes user prompts into an AutoGen Studio team over MCP/WebSocket using a token in the URL, but does not clearly define identity, permissions, retention, or which data is forwarded to DeepSeek/MiniMax.
autogen-studio__chat_start(team_id=30, message="你的问题") ... ws://localhost:8081/api/ws/runs/{rid}?token={TOKEN}Require explicit user consent before sending content to AutoGen or external providers, avoid tokens in URLs, document retention/sharing behavior, and use user-owned scoped credentials.
Project details and workflow preferences may remain on disk and be reused later.
The coding branch stores task contracts, validation evidence, and handoff notes locally for reuse. This is disclosed and purpose-aligned, but it creates persistent context that can influence future tasks.
Memory lives in `~/agentic-coding/` ... `memory.md`, `contracts.md`, `evidence.md`, `handoffs.md`
Review the ~/agentic-coding/ files periodically, avoid saving secrets, and delete the directory if you no longer want the skill to retain coding context.
If later connected to broker tools, trading actions could have real financial consequences.
The quant-trading branch discusses automated execution for some trade paths while also requiring approvals for live or higher-risk actions. No broker credentials or executable trading code are present, so this is a high-impact design note rather than proof of unsafe execution.
[金额 < 阈值] 自动执行 ... [金额 ≥ 阈值] interrupt() 人工审批 ... 实盘 | 实时数据 | 真实成交 | 全部审批
Keep trading workflows in backtest or paper mode by default, require explicit approval for all live orders, and set strict position, loss, and exposure limits.