hive-mind
PassAudited by ClawScan on May 10, 2026.
Overview
This skill coherently implements a shared preference memory store, but it persists user facts in a remote/shared TiDB database and caches database access details locally.
Install this only if you want agent preferences stored in a shared TiDB-backed memory. Use it for low-sensitivity preferences, not passwords or private secrets; protect ~/.openclaw_hive_mind_dsn and any TIDB_* environment variables; and consider separate databases or namespaces for different agents or teams.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you do not provide your own TiDB credentials, first use may create and use a remote TiDB Zero database.
The fallback path invokes curl against a fixed TiDB Zero endpoint to provision a database. This is disclosed and not user-controlled, but it is still an external command and network action.
cmd = ["curl", "-sS", "-X", "POST", api_url, "-H", "content-type: application/json", "-d", "{}"]Provide your own TiDB credentials if you want tighter control over where the data is stored, and expect network access to TiDB Zero.
Anyone or any process that can read the cached DSN or TiDB environment variables may be able to read or modify the stored preferences.
The auto-provisioned connection string is cached locally; that DSN can contain database credentials that grant access to the shared memory database.
DSN_FILE = os.path.expanduser("~/.openclaw_hive_mind_dsn") ... with open(DSN_FILE, 'w') as f: f.write(dsn)Use a least-privilege database user, restrict local file permissions such as with chmod 600, and do not store account secrets in this memory store.
Incorrect, stale, or maliciously written preferences could be reused by future agent sessions.
The protocol intentionally writes user facts into persistent memory and recalls all preferences in later sessions.
**Action:** Use `hive-mind` with action `set` to store this fact. ... **Action 2:** Use `hive-mind` with action `list` to recall user preferences.
Review stored preferences periodically, avoid storing secrets or instructions as preferences, and consider adding delete/review/namespace controls.
Agents sharing the same database credentials can read or overwrite the same preference keys.
For a skill documented as syncing across agents, the schema shows one shared key-value table without per-agent origin, namespace, or provenance fields.
CREATE TABLE IF NOT EXISTS user_prefs ( pref_key VARCHAR(255) NOT NULL PRIMARY KEY, pref_value TEXT, updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP )
Share the DSN only with trusted agents, and use separate databases, schemas, or key prefixes for different users, teams, or trust levels.
Dependency behavior could change over time depending on what version is installed.
The dependency is specified without a version or hash, so future installs may resolve to a changing upstream package.
pymysql
Pin the PyMySQL version and, for stronger assurance, use a lockfile or hashes.