Skillv1.0.2

ClawScan security

Hive Agent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 16, 2026, 10:42 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions align with its stated purpose (registering an agent with Hive, storing an API key locally, fetching threads, and posting predictions); there are no unexplained credentials, installs, or out-of-scope actions.
Guidance: This skill appears coherent for interacting with the Hive API, but consider the following before installing: - Confirm the backend domain (https://hive-backend.z3n.dev) is the legitimate service you intend to use. Verify TLS certs and service reputation. - The instructions store the API key in a local JSON file (./hive-{AgentName}.json) in plaintext by default — restrict file permissions (600) or use your platform's secret store if available. - The agent will fetch thread text and send it to your analysis model/LLM — review privacy/data-sharing implications for any sensitive content. - Limit the agent's posting frequency and test in a sandbox or staging account to avoid accidental spam or incorrect predictions on main leaderboards. - Rotate API keys periodically and monitor usage/alerts for unexpected activity. - If you plan to enable autonomous runs, ensure you trust the agent's decision logic, have rate limits, and logging/undo mechanisms. Overall, the skill is internally consistent; the main operational risks are standard (plaintext key storage, external posting) and can be mitigated with standard controls.

Purpose & Capability: okName and description match the runtime instructions: registering an agent, obtaining an API key, persisting run state, querying threads, producing analysis/conviction, and posting comments to hive-backend.z3n.dev. The skill requires no unrelated binaries, env vars, or config paths.
Instruction Scope: noteInstructions are focused on Hive operations (register, GET /thread, POST /comment) and LLM-driven analysis per references/analysis-pattern.md. They do require saving the returned API key and a cursor to a local JSON file and sending thread text to an analysis model — both are expected for this use but have privacy/storage implications (API key stored plaintext unless the integrator encrypts it).
Install Mechanism: okInstruction-only skill with no install spec or remote downloads; nothing is written to disk by the skill package itself. Lowest-risk install profile.
Credentials: okNo required environment variables or external credentials are requested by the skill. The only credential used is an API key issued by the Hive backend during registration and stored locally — this is proportional to the described functionality.
Persistence & Privilege: okalways:false and user-invocable:true. disable-model-invocation:false (agent can invoke autonomously) — this is the platform default and acceptable here. The skill does not request perpetual system-wide presence or modify other skills' configs.