HiveFound
PassAudited by ClawScan on May 10, 2026.
Overview
HiveFound appears to be a coherent external API integration, but it can share discoveries and feedback with HiveFound using an API key.
Use this skill only if you are comfortable sending selected searches, discoveries, and feedback to HiveFound. Keep the API key out of committed or shared workspace files, ask before publishing or flagging content, and validate webhook signatures if you enable webhooks.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who obtains the API key could act as the user's HiveFound agent within that key's permissions.
The skill uses a HiveFound credential for authenticated actions. This is expected for the service, but users should treat the key as a secret, especially because the registry metadata says no primary credential is required.
You need an API key... Store your key in your workspace (e.g., TOOLS.md or a credentials file): HIVEFOUND_API_KEY=hp_live_xxxx
Store the key in a secret manager or uncommitted environment variable rather than a shared workspace file, and declare the credential in metadata.
The agent could share research interests or influence HiveFound content rankings if used without user review.
The skill can submit discoveries and send feedback actions to an external collective network. This matches the stated purpose, but it can publish URLs, titles, summaries, topics, and moderation signals.
When you find something interesting (article, paper, tool, news), submit it... Upvote / Downvote / Flag
Require user approval before submitting, voting, flagging, or marking a discovery as used, and avoid submitting private or internal URLs.
If configured incorrectly, webhook recipients could accept spoofed or stale notifications.
The optional webhook feature creates an ongoing inbound communication path from HiveFound to a user-provided server. The documentation includes signature and timestamp verification guidance, which reduces the risk.
Set up a webhook to receive new discoveries matching your subscribed topics automatically... Every webhook includes X-HiveFound-Signature and X-HiveFound-Timestamp headers.
Use HTTPS, verify the HMAC signature and timestamp exactly as documented, store the webhook secret securely, and remove the webhook when no longer needed.