ClawHub

Hivulse蜂巢AI-Gen-Tech Docs 自动生成技术文档

Security checks across malware telemetry and agentic risk

Overview

This skill appears to perform the stated cloud document-generation task, but it can upload broad project contents and handles API keys in ways users should review first.

Install only if you are comfortable sending the selected project directory to Hivulse cloud. Use a cleaned copy of the project, remove .env files, private keys, credentials, customer data, and proprietary files before running, and verify the exact directory and document type before upload. Treat ~/.hivulseai/config.json and OpenClaw API-key settings as sensitive, and prefer an isolated environment with pinned dependencies for sensitive work.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (15)

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
interactive_path = skill_dir / "interactive.py"

        if interactive_path.exists():
            os.system(f"python {interactive_path}")
        else:
            print("❌ 交互式模块不存在")
        return
Confidence
95% confidence
Finding
os.system(f"python {interactive_path}")

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises no explicit permissions, yet its documented behavior and detected capabilities include reading local files and environment variables, writing config data, making network requests, and invoking shell/subprocess helpers. This undermines informed consent and permission transparency, increasing the risk that users expose sensitive code, credentials, or system context without realizing the full scope of access.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The description frames the skill as a document generator, but the documented/observed behavior extends to reading local configuration files, persisting API keys, enumerating project contents, uploading files to a remote cloud service, and running helper subprocesses. That mismatch is dangerous because users may authorize it under a narrower mental model and unintentionally disclose source code, secrets, or local environment data to an external service.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill reads a secret from an unrelated local OpenClaw configuration file using a hard-coded user-specific path and regex extraction, rather than requiring explicit user-supplied credentials. This crosses a trust boundary and can silently appropriate credentials from the host environment, enabling unauthorized use of another service account and potentially exposing or misusing sensitive project data.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Interactive mode delegates execution to a separate Python script via shell execution, which expands the skill's execution surface beyond simple document generation. In this context, the capability is more dangerous because the skill is expected to process project directories, so spawning another script can bypass tighter control flows and makes review of the true runtime behavior harder.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly states that the tool scans a specified directory and batch uploads files to an API, but it does not warn users that source trees often contain secrets, credentials, private code, configuration data, or regulated information. In a developer tool, this omission is security-relevant because users may upload entire projects to a third-party endpoint without understanding the data exposure risk.

Vague Triggers

Medium
Confidence
81% confidence
Finding
Overly broad trigger phrases such as generic requests to generate or create documents can cause the skill to activate in situations where the user did not intend to upload source code or invoke an external service. In this skill's context, accidental activation is more dangerous because the documented workflow includes scanning a directory and transmitting project files remotely.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Ambiguous activation conditions without clear scope boundaries make it easier for the skill to run on ordinary documentation-related requests that may not imply consent to inspect a codebase or contact a third-party API. Because this skill operates on local project directories and uploads their contents, ambiguity materially increases the chance of unintended data exposure.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill description states that files from a specified directory are uploaded through an API, but it does not provide a prominent privacy or data-transmission warning. In a code-documentation tool, uploaded files may contain proprietary source code, embedded secrets, credentials, customer data, or internal architecture details, making undisclosed transmission to a remote service a significant confidentiality risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code stores the API key in a plaintext JSON file under the user's home directory and does so automatically when set_api_key() is called, without warning the user about local credential persistence. If the host is multi-user, backed up to shared storage, compromised by malware, or has weak filesystem permissions, the credential can be recovered and abused to access the associated service.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The tool recursively enumerates the target directory and uploads essentially all files to a remote service, excluding only a small set of directories and extensions. In a developer environment this can exfiltrate source code, secrets, credentials, internal documents, and other sensitive artifacts without a clear per-run warning or explicit confirmation of what will be transmitted.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The code retrieves a sensitive API key and later propagates it to a child process, but there is no meaningful user notice about secret handling, scope, or exposure risks. In addition, the script prints part of the API key to stdout, which can leak sensitive material into logs, terminals, or agent transcripts.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.25.0
pathlib2>=2.3.0
Confidence
93% confidence
Finding
requests>=2.25.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.25.0
pathlib2>=2.3.0
Confidence
72% confidence
Finding
pathlib2>=2.3.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
97% confidence
Finding
requests

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal