ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Hivulse蜂巢AI-Gen-Tech Docs 自动生成技术文档

v1.0.0

hivulse蜂巢 AI 是一款面向软件开发的自动化技术文档生成工具,通过指定目录代码一键生成多种规范化技术文档。目前已支持的文档类型包括:用户需求说明书、需求规格说明书、系统概要设计说明、系统详细设计说明等10几种报告。申请API Key请访问 www.hivulse.com

0· 69·0 current·0 all-time
byBo Cao@mojo-bo-coder
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code matches the stated purpose: it scans a directory, filters common folders, uploads files, checks status, and requests document generation. Required credential (HIVULSE_API_KEY) is consistent with a cloud API. However there are odd/inconsistent details: the SKILL.md and config.py mention a fixed localhost API address (http://localhost:8001) while the main class uses 'https://cloud.hivulse.com'. Also one method tries to read an OpenClaw config at a hardcoded path (/Users/superlk/.openclaw/openclaw.json) — that specific hardcoded absolute path is unexpected and not explained by the description.
!
Instruction Scope
SKILL.md instructs uploading an entire project directory to the service, which is consistent with the code. But SKILL.md contains contradictory guidance about how to configure the API key (it both shows exporting HIVULSE_API_KEY and later says "通过配置文件设置,无需环境变量"). The runtime code will read/writes a local config (~/.hivulseai/config.json), read OpenClaw config files, and may print partial key material in logs. The tool will upload all files except a short exclude list — this can unintentionally upload secrets (API keys, .env, config files) present in a project. The skill also attempts to access OpenClaw configuration files, including a suspicious hardcoded absolute path, which is scope creep beyond just reading an expected per-user OpenClaw config location.
Install Mechanism
There is no external installer; code is provided in the bundle and there is no download-from-net during install. This is lower risk than remote installers. Dependencies are minimal (requests, pathlib2) declared in requirements.txt. No suspicious remote install URLs or archive extraction.
!
Credentials
The skill requests a single credential (HIVULSE_API_KEY), which is appropriate for a cloud API. But it persists the API key in plaintext at ~/.hivulseai/config.json and prints a partial key to stdout in some places — this increases attack surface if the machine is shared or logs are stored. The code also attempts to read OpenClaw config files (expected), but one routine uses a hardcoded path to another user's home (/Users/superlk/.openclaw/openclaw.json) which is unexpected and disproportionate.
Persistence & Privilege
always:false and the skill does not request system-wide privileges. It creates and writes its own config directory ~/.hivulseai and config.json to persist API keys and last-used directory. Persisting the API key locally is functional but may be undesirable for users who prefer secrets only in secure vaults or environment variables. The skill does not attempt to modify other skills or global agent settings.
What to consider before installing
Key things to consider before installing/using: - The skill will upload the contents of the directory you point it at (excluding a short list). Review your project for secrets (API keys, .env, config files, private keys) that could be uploaded; remove or exclude them before running. - The code stores your HIVULSE_API_KEY in plaintext at ~/.hivulseai/config.json and prints a trimmed version in logs — if you prefer not to persist keys to disk, do not use the on-disk config and supply the key via a secure mechanism you control. - There are contradictory instructions and endpoints: SKILL.md/config.py refer to localhost:8001 while the main code uses https://cloud.hivulse.com. Confirm which endpoint the skill will actually contact and only use trusted endpoints. - One function references a hardcoded path (/Users/superlk/.openclaw/openclaw.json). This is unusual; check the code and consider removing or modifying that line so it only checks the current user's OpenClaw config (e.g., Path.home()). - If you will run this in an environment with sensitive or proprietary code, audit the files to be uploaded or run the tool in a controlled environment where uploads are safe. - If you decide to proceed, consider: (1) use a minimal-scope API key for hivulse, (2) rotate the key after use if you have concerns, and (3) review network traffic/endpoints the tool communicates with (e.g., via a proxy) to ensure it matches the expected service.

Like a lobster shell, security has layers — review code before you run it.

latestvk975gpqbr0ehv1xq3hdr5qtbbs83hhmm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📄 Clawdis
EnvHIVULSE_API_KEY
Primary envHIVULSE_API_KEY

Comments