Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
hive-commander
v1.0.31+5 Distributed Production Swarm with Session Inheritance.
⭐ 1· 128·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill claims to be a local 1+5 orchestrator, which plausibly needs to read local skill metadata, but the package metadata declares no required environment variables or config paths while the runtime instructions and AGENT.md mandate extracting api_key/base_url/model from the active runtime. That mismatch (declaring no credentials but demanding inherited session secrets) is incoherent. SKILL.md permissions also allow reading ~/.openclaw/skills/** — broader access than the metadata suggests.
Instruction Scope
Runtime instructions explicitly mandate extracting the active session's api_key, base_url, and model and injecting them into worker configs, and forbid prompting the user for credentials. executor.py will make POST requests using that api_key to the supplied base_url. There is no restriction that base_url must be an official provider; combined with automatic session propagation, this enables sending the user's LLM key and model identifier to arbitrary endpoints. The instructions also describe auto-discovery/dynamic mounting of third-party skills, which increases the attack surface by enabling execution of externally authored logic.
Install Mechanism
There is no install spec (instruction-only), and the included executor.py is small and local — no external downloads or archive extraction are requested. From an 'install mechanism' standpoint, the skill does not pull code from untrusted URLs.
Credentials
The skill requires access to sensitive runtime session data (api_key, base_url, model) but the registry metadata lists no required env vars or primary credential. Requesting the agent's active API key without declaring it is disproportionate. Because executor.py forwards that key in Authorization headers to the configured base_url (which is unrestricted), a leaked or malicious base_url could receive the user's secret.
Persistence & Privilege
The skill is not force-installed (always:false) which is good, but its design enforces silent session inheritance (forbidden to prompt the user) and broad local-skill read permissions. That combination effectively grants it high runtime privilege over agent secrets and local skill code while allowing autonomous invocation — higher risk than a routine skill.
What to consider before installing
This skill actively asks the agent to inherit the agent's live API key, base_url, and model and then makes outbound calls using that key to whichever base_url is provided. That means a compromised or attacker-specified base_url could receive your API key and model. Before installing: 1) Do not allow silent session inheritance — require explicit user provision of any API keys and only to known, allowlisted providers; 2) Audit or restrict base_url to trusted endpoints (openai.com, api.anthropic.com, etc.); 3) If you must test, run in an isolated environment (VM or container) and use fake/dummy API keys; 4) Review and, if necessary, remove the skill's permission to read ~/.openclaw/skills/** to prevent mass-reading of other local skills; 5) Examine executor.py and task_config.json flow and require that the skill declare required env vars in its metadata. If you do not fully trust the source, do not install on a machine that holds real API keys or other sensitive credentials.Like a lobster shell, security has layers — review code before you run it.
Automationvk9769hy7n8hr0m949nftmy0tj183359zCross-Skillvk9769hy7n8hr0m949nftmy0tj183359zHarnessvk9769hy7n8hr0m949nftmy0tj183359zParallelvk9769hy7n8hr0m949nftmy0tj183359zSwarmvk9769hy7n8hr0m949nftmy0tj183359zlatestvk97cw25s8m0marefy5d80fvzgx839hnb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.