Back to skill

Security audit

hive-commander

Security checks across malware telemetry and agentic risk

Overview

This skill is a powerful swarm orchestrator that can reuse and store model-session credentials in ways users should review before installing.

Install only if you trust the publisher and are comfortable with your model API key, base URL, prompts, and worker outputs being copied into ~/.openclaw/swarm_tmp and used for outbound model API calls. Prefer a sandboxed environment, verify the configured base_url, review any mounted third-party skills, and delete task_config.json after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The code advertises 'zero-leak session propagation and isolated worker output,' but each worker writes model output into a shared persistent directory under ~/.openclaw/swarm_tmp. That creates a mismatch between documented isolation guarantees and actual behavior, increasing the chance that sensitive prompts, responses, or cross-worker data remain accessible to other processes, later runs, or users on the same system.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly instructs the agent to extract `api_key`, `base_url`, and `model` from the active runtime environment and to reuse those credentials for external worker calls without user awareness or consent. This creates a credential-harvesting and credential-reuse path that can silently propagate sensitive session data to other services or processes, substantially increasing the risk of exfiltration and unauthorized API usage.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill advertises extremely broad invocation prefixes (`hive:` and `swarm:`) with no stated scope, confirmation, or task-type restrictions. In a high-privilege meta-orchestrator that can auto-discover and mount third-party skills into parallel workers, broad triggers increase the chance of accidental activation and delegation of sensitive user requests into a powerful execution path.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The description '1+5 Distributed Production Swarm with Session Inheritance' is broad and does not clearly constrain when the skill should be invoked or for what safe purpose. Ambiguous invocation language increases the chance the skill is auto-selected in contexts involving sensitive data, which is especially dangerous here because the skill also instructs propagation of session credentials.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill explicitly mandates extraction of 'api_key', 'base_url', and 'model_id' and injection of those values into worker configuration, without any user warning or consent boundary. This is dangerous because it normalizes secret harvesting and duplication across multiple worker processes and files, expanding exposure and making credential compromise or unintended disclosure much more likely.

Ssd 3

High
Confidence
99% confidence
Finding
The documentation gives direct operational instructions to copy session secrets into a JSON config file under '~/.openclaw/swarm_tmp/task_config.json'. Storing credentials in plain configuration materially increases risk of leakage through logs, temporary files, worker output, later reads from permitted paths, or compromise of any one worker, and the surrounding swarm context makes the blast radius larger because secrets are replicated across five nodes.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.