v1.0.1

Hive Home

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:52 AM.

Analysis

The skill appears to do what it says, but it can use Hive credentials and persistent device keys to change home heating and hot-water settings, so it deserves careful review before installation.

GuidanceInstall only if you trust the publisher and dependency source. Keep Hive credentials out of chat, store HIVE_* values in a protected secret store, do not print or log device credentials, and require explicit confirmation before the agent changes heating, hot water, lights, or plugs.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

scripts/hive_control.py

session.heating.setTargetTemperature(zone, args.temp) ... session.hotwater.setMode(hw, args.mode.upper())

These are direct state-changing calls for home heating and hot water. The artifacts do not include an approval requirement or safety limits before the agent runs these mutations.

User impactIf the agent invokes a control command unexpectedly or with the wrong parameters, it could change heating or hot-water behavior, causing discomfort, energy cost, or unwanted physical-device operation.

RecommendationUse this skill only with explicit user requests for changes. Add or enforce confirmations and safe ranges for temperature, duration, mode, and zone before allowing state-changing commands.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

metadata

Source: unknown; Homepage: https://github.com/yourusername/agent-skills

The published source provenance is unclear and the homepage appears placeholder-like for a skill that requires smart-home account credentials. The docs also rely on a third-party unofficial API library.

User impactUsers have less assurance about the origin of the skill and its dependency chain before granting Hive account access.

RecommendationVerify the repository and publisher before installing, and consider pinning/reviewing the pyhiveapi dependency version used with the skill.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusConcern

SKILL.md

For automation (no 2FA each run): `HIVE_DEVICE_GROUP_KEY`, `HIVE_DEVICE_KEY`, `HIVE_DEVICE_PASSWORD` ... print("Store for device login:", device_data)

The skill uses persistent device credentials that bypass repeated 2FA, and the example prints those credentials to output for storage. In an agent or logged terminal, that can expose reusable account/device access.

User impactLeaked Hive passwords or device credentials could let someone control connected Hive devices without repeating 2FA.

RecommendationStore Hive secrets only in a secret manager or protected agent configuration, avoid running the credential-capture snippet in chat/logged contexts, and rotate device credentials if they are exposed.