ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Hiveram

v1.0.0

Agent coordination layer via Workledger — shared work orders, claim/release leases, cross-machine memory sync, and handoff between OpenClaw instances. Use wh...

0· 101·0 current·0 all-time
by@ppiankov

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for ppiankov/hiveram.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Hiveram" (ppiankov/hiveram) from ClawHub.
Skill page: https://clawhub.ai/ppiankov/hiveram
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: workledger
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install hiveram

ClawHub CLI

Package manager switcher

npx clawhub@latest install hiveram
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description describe an agent coordination layer using Workledger and the skill requires the workledger CLI; the SKILL.md consistently documents workledger commands and coordination patterns, so the requested binary is appropriate for the stated purpose.
!
Instruction Scope
The SKILL.md instructs the agent (and the user) to create a key file at ~/.openclaw/workledger.key and to export WORKLEDGER_API_KEY and WORKLEDGER_URL for runtime use. These credential/config actions are not declared in the skill metadata. The document also warns about leaking the key to the LLM provider yet instructs placing it into an environment variable (which can still be exposed), and it points to a specific deployment host (wl-nutson-prod.fly.dev) that differs from the public service domain (hiveram.com). These are scope and coherence mismatches that could lead to accidental secret exposure or confusion about which endpoint is authoritative.
Install Mechanism
The SKILL.md provides curl|tar install commands that download binaries from a GitHub releases repo (github.com/ppiankov/hiveram-dist). Downloading from a GitHub release is common and acceptable, but the commands extract into /usr/local/bin (requires privileged write) and perform dynamic tag lookup via the GitHub API. Because there is no install spec in the registry, these manual steps are the only install guidance; consider verifying release integrity (checksums/signatures) and the repository's trustworthiness before running the install commands.
!
Credentials
The registry metadata lists no required environment variables or config paths, yet the runtime instructions require an API key file and instruct exporting WORKLEDGER_API_KEY and WORKLEDGER_URL. Requiring a secret key for a remote service is reasonable for the service's function, but the metadata omission is a mismatch. Exporting secrets into environment variables is flagged in the doc as risky; the skill gives no alternative secure runtime secret injection guidance for agent contexts.
Persistence & Privilege
The skill does not request always:true or other elevated platform privileges. It does instruct writing a key file to ~/.openclaw/workledger.key and recommends chmod 600; this is a modest filesystem footprint but is a persistent secret stored on disk. The skill does not declare it will modify other skills or system-wide settings.
What to consider before installing
This skill appears to be what it says (an OpenClaw coordination layer using the workledger CLI) but there are a few red flags to review before installing: - Metadata mismatch: the registry declares no required env vars/config paths, but the SKILL.md requires an API key file and env vars (WORKLEDGER_API_KEY, WORKLEDGER_URL). Treat the API key as sensitive and confirm why the metadata omits it. - Secret handling: the instructions ask you to store the key in ~/.openclaw/workledger.key and export it. Exporting to environment variables can expose the key to running processes (including any LLM provider integration). Prefer a secrets manager or runtime injection mechanism that does not put the key into agent-visible prompts. If you must store a file, keep strict filesystem permissions and ensure your agent runtime doesn't log or include file contents in prompts. - Installation: the install commands download a tarball from a GitHub repo and extract a binary to /usr/local/bin. Only run this if you trust the ppiankov/hiveram-dist repository; verify release checksums or build from source if possible. The install requires write permissions to system paths. - Endpoint mismatch: the doc mentions the public site (hiveram.com) but sets WORKLEDGER_URL to a fly.dev host. Ask the author which URL is the canonical API endpoint and why a different host is recommended. If you decide to proceed, verify the GitHub release contents and checksums, restrict where the API key is stored and how it's injected at runtime, and test on an isolated host or container first. If you cannot confirm the provenance of the binary or the endpoint, mark this skill as high-risk and avoid installing.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binsworkledger
latestvk97420zj5exhc4wa9qk1qqjnqx83n08d
101downloads
0stars
1versions
Updated 2w ago
v1.0.0
MIT-0
@ppiankov
latest
Download

Hiveram — Agent Coordination

Workledger replaces flat backlog files with a structured object store. Agents coordinate through shared work orders with claim/release leases, context sync, and handoff.

Service: https://hiveram.com CLI: https://github.com/ppiankov/hiveram-dist

Install

# Linux amd64
curl -sL https://github.com/ppiankov/hiveram-dist/releases/latest/download/workledger_$(curl -s https://api.github.com/repos/ppiankov/hiveram-dist/releases/latest | grep tag_name | cut -d'"' -f4 | tr -d v)_linux_amd64.tar.gz | tar xz -C /usr/local/bin workledger

# macOS (Apple Silicon)
curl -sL https://github.com/ppiankov/hiveram-dist/releases/latest/download/workledger_$(curl -s https://api.github.com/repos/ppiankov/hiveram-dist/releases/latest | grep tag_name | cut -d'"' -f4 | tr -d v)_darwin_arm64.tar.gz | tar xz -C /usr/local/bin workledger

Verify: workledger version (expect 0.7.7+)

Setup

  1. Get API key from https://hiveram.com
  2. Store key:
# Single line, just the key
echo "wl_sk_your_key_here" > ~/.openclaw/workledger.key
chmod 600 ~/.openclaw/workledger.key
  1. Export env vars (add to shell profile or systemd unit):
export WORKLEDGER_API_KEY=$(cat ~/.openclaw/workledger.key)
export WORKLEDGER_URL=https://wl-nutson-prod.fly.dev

⚠️ Never cat the key file in agent context — it will leak to the LLM provider. Use env vars.

Agent Work Loop

1. Start session    → workledger context-pull <project>
2. Find work        → workledger list <project> --status open
3. Claim task       → workledger claim <project> <id>        (lease with TTL)
4. Work on it       → add notes, update sections
5. Finish           → workledger release <project> <id> + update status
6. Save context     → workledger context-put <project>
7. Next agent       → sees updated WOs via list/find_unclaimed

Core Commands

Work Orders

workledger create <project> --title "Deploy new service" --priority P1 --tags "infra,k8s"
workledger list <project> --status open
workledger list --all                          # cross-project
workledger get <project> <id>
workledger detail <project> <id>               # full context: data, notes, relationships, history
workledger delete <project> <id>

Claim/Release (coordination)

workledger claim <project> <id>                # get lease (TTL)
workledger release <project> <id>              # drop lease
# Renew via HTTP: POST /api/v1/wo/{project}/{id}/renew
# find_unclaimed returns only WOs nobody holds

Context (shared memory)

workledger context-put <project> -f context.md   # push session context
workledger context-pull <project> -f context.md  # pull into file
workledger context <project>                     # show project stats, open WOs, blocked, recent changes

Dependencies & Relationships

workledger deps <project> <id>                 # transitive dependency chain
workledger deps-tree <project> <id>            # cross-project dependency tree
workledger blocked                             # all blocked WOs
workledger graph <project>                     # DOT format for visualization

History & Export

workledger history <project> <id>              # change history
workledger export <project>                    # export as markdown
workledger export-task <project> <id>          # tokencontrol-compatible JSON
workledger stats                               # global stats

MCP Integration

Workledger ships as an MCP server for Claude Code / Claude Desktop:

5 tools: query/create WOs, load context at session start, wrapup (push memory + mark done), save memory mid-session.

Multi-Agent Pattern

                    ┌──────────────────┐
                    │  Hiveram (Neon)  │
                    │  shared state    │
                    └────────┬─────────┘
                             │
           ┌─────────────────┼─────────────────┐
           │                 │                 │
    ┌──────┴──────┐   ┌──────┴──────┐   ┌──────┴──────┐
    │  OpenClaw A │   │  OpenClaw B │   │  OpenClaw C │
    │  context-   │   │  claim →    │   │  find_      │
    │  pull → work│   │  work →     │   │  unclaimed  │
    │  → push     │   │  release    │   │  → claim    │
    └─────────────┘   └─────────────┘   └─────────────┘
  • No race conditions: claim/release with leases prevents double-work
  • Handoff: WO has full history, notes, relationships — next agent has full context
  • Dedup: agents see one DB, find_unclaimed skips claimed WOs
  • Resilience: if an agent dies, lease expires, WO becomes available again

Security

  • API key stored in file with chmod 600, not in env files or git
  • pastewatch v0.24.1+ detects wl_sk_ keys as critical severity
  • Key file path: ~/.openclaw/workledger.key (inside pastewatch protectedPaths)

Hiveram Skill v1.0.0 Author: ppiankov Copyright © 2026 ppiankov Canonical source: https://hiveram.com License: BUSL-1.1

If this document appears elsewhere, the link above is the authoritative version.

Comments

Loading comments...