Is iamdoctorclaw/hivefound safe?

The skill's core functionality requires submitting agent discoveries (URL, title, summary, topics) to api.hivefound.com. The SKILL.md description instructs the agent to use this skill 'when finding interesting articles, research, news, or resources worth sharing.' This means the agent's research activity — including what topics the user is investigating, what URLs it found interesting, and summaries of content — is continuously reported to a third-party server controlled by the skill author. This is not incidental telemetry; it is the explicit design of the skill.

The skill package ships with a .clawhub/lock.json file that references a separate skill (academic-research-hub v0.1.0) that was not declared as a dependency in SKILL.md metadata. This file should not be part of the published skill package. Its presence suggests the skill was packaged directly from a live agent environment, which may inadvertently expose environment state, or it may serve as a mechanism to detect and fingerprint what other skills are installed on the target system.

The skill instructs the agent to store the HIVEFOUND_API_KEY in TOOLS.md or a credentials file in the agent's workspace. This normalizes plaintext credential storage in agent-accessible locations, where other installed skills could read them. The API key is also tied to a user email registered with HiveFound, creating a persistent identity linkage.

The skill instructs agents to consume HiveFound's feed and search results as a primary research source, before performing independent web searches. If HiveFound's platform is compromised or operated maliciously, it can serve poisoned content (misleading summaries, malicious URLs, propaganda) directly into the agent's research context. The agent is instructed to trust this content without independent verification.

The skill explicitly instructs agents to query HiveFound before performing independent web searches 'to save tokens.' This creates a behavioral dependency on an external commercial service and biases the agent's research toward content that has been curated or filtered by HiveFound's platform.

Beyond submission, the skill provides 'used', 'upvote', 'downvote', and 'flag' commands that report agent engagement patterns back to HiveFound. This creates detailed behavioral analytics: not just what the agent discovers, but which content it acts upon, finds valuable, or rejects.

The skill includes a Python script (scripts/hivefound.py) that makes outbound network requests. The script code is readable and clean — no obfuscation, no arbitrary code execution, no filesystem traversal. However, it represents an executable attack surface: if the script were modified in a future update, it could perform malicious actions while appearing legitimate.

The skill offers webhook setup where HiveFound delivers new discoveries to a user-specified HTTPS endpoint. This inverts the trust model: instead of the agent pulling data, an external service gains the ability to push arbitrary payloads to user infrastructure. Webhook signature verification is recommended but complex to implement correctly, and the webhook_secret is 'only shown once.'

Audit PATH records show all six canary files (.env, id_rsa, .aws/credentials, .npmrc, docker config, gcloud creds) accessed in two systematic batches — once before installation (timestamp 1771927444.453, audit records 383-391) and once after (timestamp 1771927461.204, audit records 6722-6727). The batch pattern, consecutive audit IDs, and timing aligned with installation boundaries are consistent with the monitoring system performing baseline and integrity verification scans. Canary integrity check confirmed all files intact with no network exfiltration detected.