ClawHub

Hivulse蜂巢AI-Gen-Tech Docs 自动生成技术文档

Security checks across malware telemetry and agentic risk

Overview

This skill appears to generate technical documents as advertised, but it can upload broad project directories to a cloud service and handles API keys in ways users should review carefully.

Install only if you intentionally want selected project files sent to Hivulse's cloud service for documentation generation. Before running it, use a narrow sanitized directory, remove .env files, private keys, certificates, customer data, and proprietary files you do not want uploaded, and verify where the API key is stored. Prefer a workflow that shows the exact file list and destination before upload.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (16)

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
interactive_path = skill_dir / "interactive.py"

        if interactive_path.exists():
            os.system(f"python {interactive_path}")
        else:
            print("❌ 交互式模块不存在")
        return
Confidence
97% confidence
Finding
os.system(f"python {interactive_path}")

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises sensitive capabilities including environment access, filesystem reads/writes, network communication, and shell execution, but does not clearly declare permissions or present those capabilities to the user as explicit trust boundaries. In a user-invocable skill that operates on source trees, this increases the risk of unintended data access, exfiltration, or local command execution without informed consent.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose is document generation from a local code directory, but the observed behavior includes reading/storing API keys from disk, uploading full project contents to an external cloud service, and invoking subprocesses. That mismatch is dangerous because users may provide proprietary repositories believing processing is local, while the skill actually introduces secret handling, persistence, and third-party transfer risks that are not transparently disclosed.

Intent-Code Divergence

Medium
Confidence
82% confidence
Finding
The documentation gives contradictory instructions for API key handling: one section requires an environment variable while another says no environment variable is needed and uses a local config file. Confusion around secret storage often leads users to place credentials in less secure locations, increasing the chance of accidental exposure, mishandling, or insecure persistence on disk.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill reads secrets from a hard-coded host configuration path outside its stated project-directory scope. That gives the tool unnecessary access to broader local configuration data and can silently harvest an API key from another application context, which violates least-privilege expectations.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill can invoke a separate Python script for interactive mode, which is an execution capability not strictly required for simple document generation and is implemented via shell execution. In this context, the feature makes the skill more dangerous because it permits control flow into another file whose behavior is outside this entrypoint's validation, expanding what the skill can do if the package is modified or the auxiliary script is malicious.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly describes uploading an entire project directory to a remote API, but it does not warn users that source trees commonly contain secrets, credentials, internal documentation, customer data, or proprietary code. In a tool whose core function is bulk file collection and transmission, omission of privacy and data-handling warnings materially increases the risk of inadvertent sensitive-data exfiltration.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases are broad, generic terms like '创建文档' and '文档生成' that are likely to appear in ordinary conversation. In this context, accidental activation is risky because the skill can read project files and send them to an external service, so an unintended match could initiate sensitive actions without deliberate user intent.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill description does not clearly warn that project files are uploaded to an external API/cloud service. Given that source repositories often contain proprietary code, credentials, internal documentation, or regulated data, omission of this fact materially undermines informed consent and creates a significant data exfiltration/privacy risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code persists the API key in a JSON config file under the user's home directory without any indication of file permission hardening, encryption, or user warning about local credential storage. If the host is shared, backed up insecurely, or the config directory is readable by other local users/processes, the key can be exposed and abused to access the associated service.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This code uploads project files to a remote cloud service, but the upload path lacks any explicit consent prompt, dry-run summary, or warning that local source code is leaving the machine. In a codebase context, uploaded files may contain proprietary code, secrets, credentials, or personal data, making undisclosed exfiltration materially risky.

Missing User Warnings

Low
Confidence
85% confidence
Finding
The tool silently reads an API key from a local OpenClaw configuration file without clear disclosure or user approval. While this is less severe than direct data exfiltration, it creates surprising secret access behavior and may cause users to authenticate to a third-party service without realizing how credentials were sourced.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The wrapper loads a sensitive API key and then propagates it into process state for a child invocation, while also partially printing the key to stdout. Secrets placed in environment variables can be inherited by child processes and may be exposed through logs, crash reports, or process-inspection mechanisms depending on the host environment.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.25.0
pathlib2>=2.3.0
Confidence
94% confidence
Finding
requests>=2.25.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.25.0
pathlib2>=2.3.0
Confidence
87% confidence
Finding
pathlib2>=2.3.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
97% confidence
Finding
requests

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal