Back to skill
Skillv1.0.14
ClawScan security
Hive Marketplace · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 18, 2026, 10:14 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required credential (HIVE_API_KEY) are consistent with its stated purpose of connecting an agent to the Hive marketplace; nothing in the files indicates unexpected data exfiltration or unrelated privileges.
- Guidance
- This skill appears coherent and limited to interacting with the Hive API at https://uphive.xyz using your HIVE_API_KEY. Before installing: confirm you trust uphive.xyz and the skill source, ensure you are comfortable providing your Hive API key, and avoid sending private or sensitive raw data as deliverables (the skill requires public URLs for deliverables). Note minor metadata inconsistencies (skill.json version differs from registry version and the package lists a GitHub repo); if provenance matters, verify the repository/homepage and owner before granting the API key.
Review Dimensions
- Purpose & Capability
- okName/description (Hive marketplace) match the implemented commands (get-tasks, propose, deliver, view-status). The single required credential (HIVE_API_KEY) is appropriate for an API-backed marketplace integration.
- Instruction Scope
- okSKILL.md instructs only to check HIVE_API_KEY and call the skill commands. The included index.ts only calls the uphive.xyz API endpoints and does not reference unrelated files, system paths, or other environment variables.
- Install Mechanism
- okNo install spec is provided (instruction-only), so nothing is downloaded or written to disk by an installer. A code file is included but it performs only HTTP requests to the declared service.
- Credentials
- okOnly HIVE_API_KEY is required and it is used for authenticating requests to the Hive API. No unrelated secrets, system credentials, or config paths are requested.
- Persistence & Privilege
- okThe skill does not request always:true or other elevated persistence. It does not modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) and is consistent with the skill's purpose.