Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Hivulse蜂巢AI-Gen-Tech Docs 自动生成技术文档
v0.1.4hivulse蜂巢 AI 是一款面向软件开发的自动化技术文档生成工具,通过指定目录代码一键生成多种规范化技术文档。目前已支持的文档类型包括:用户需求说明书、需求规格说明书、系统概要设计说明、系统详细设计说明等10几种报告。申请API Key请访问 www.hivulse.com
⭐ 1· 340·0 current·0 all-time
byBo Cao@mojo-bo-coder
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The skill name/description (automated technical-document generation from a project directory) matches what the code does: it collects files, filters common directories, uploads files to a hivulse API, checks status, and requests document generation. Requiring an HIVULSE_API_KEY is appropriate for this remote API integration.
Instruction Scope
Runtime instructions and code focus on the documented workflow (gather files, upload, request generation). However the tool will upload nearly all files in the specified directory (only node_modules, venv, .git, __pycache__, .idea, .vscode and *.pyc/*.log are explicitly excluded). It does not filter .env, *.pem, keys, or other secret files — so sensitive files in the project directory would be uploaded to the remote service. The code also reads OpenClaw configuration to find an API key (purpose-aligned), but one implementation path contains a hard-coded developer path (/Users/superlk/.openclaw/openclaw.json), which looks like a leftover and is inconsistent with other code that uses Path.home().
Install Mechanism
There is no remote installer or downloads; this is an instruction + Python script package with a small requirements.txt (requests, pathlib2). No external arbitrary download URLs or archive extraction are used in the provided files.
Credentials
The skill only requires a single credential (HIVULSE_API_KEY), which is proportional to contacting a remote API. The code attempts to source that key from several places (OpenClaw config, environment, local ~/.hivulseai/config.json). Reading the OpenClaw config is reasonable for convenience, but the code will read a file in the user's home directory (potentially exposing other configuration data during debugging/logging). The number of env vars requested is minimal and appropriate.
Persistence & Privilege
The skill does not request always:true and does not attempt to modify other skills or system-wide settings. It creates/uses a local config directory (~/.hivulseai) for storing its API key and last-used directory — this is normal for a CLI tool.
Assessment
This skill appears to do what it claims (upload your project and call hivulse cloud APIs) and only needs an HIVULSE_API_KEY. Before installing or using it: 1) Audit the code or run in a sandbox: the tool will upload nearly all files under the directory you give it — ensure you do not upload secrets (environment files, private keys, credentials, .env, .pem, etc.), since those are not excluded by default. 2) Confirm the API endpoint and privacy policy for the hivulse service (the code uses 'https://cloud.hivulse.com' but other messages reference localhost — clarify which endpoint will be used). 3) Note minor sloppy items (a hard-coded path /Users/superlk in one code path and inconsistent endpoint mentions) — these look like developer leftovers rather than malicious behavior but justify checking the files before use. 4) If you must use on sensitive code, strip sensitive files from the project or run a filtered copy. 5) If you have low trust in the remote service, do not provide the API key or upload private repositories.Like a lobster shell, security has layers — review code before you run it.
latestvk970dmyjadg0hh7s52dbfapgbd82vnq3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📄 Clawdis
EnvHIVULSE_API_KEY
Primary envHIVULSE_API_KEY