You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
https://clawhub.ai/packages/hivemind returns "This plugin does not exist or has been removed." Live as of 2026-05-15 (the day this issue is filed).
CI publish workflow last reported success on Publish openclaw bundle to ClawHub at the 0.7.26 release (2026-05-14T17:18 UTC), so the takedown happened after publish — i.e. ClawHub's post-publish moderation scan flagged the bundle and removed it.
Root cause
Running npm run audit:openclaw (the in-repo replica of ClawHub's static rules) against the current main's bundle shows 5 CRITICAL violations + 2 WARN:
✗ [CRITICAL] env-harvesting
openclaw/dist/index.js:727
Environment variable access combined with network send (possible credential harvesting)
> Number(process.env.HIVEMIND_SEMANTIC_LIMIT ?? "20")
✗ [CRITICAL] env-harvesting
openclaw/dist/skilify-worker.js:11
> var DEBUG = process.env.HIVEMIND_DEBUG === "1";
✗ [CRITICAL] dangerous-exec
openclaw/dist/skilify-worker.js:305
Shell command execution detected (child_process)
> const out = execFileSync("which", [name], {
✗ [CRITICAL] env-harvesting
openclaw/dist/skillify-worker.js:11
(same pattern as #2 — the dist ships BOTH the old `skilify-worker.js` AND
the new `skillify-worker.js` because the rename in #116 didn't delete
the legacy chunk)
✗ [CRITICAL] dangerous-exec
openclaw/dist/skillify-worker.js:416
> const out = execFileSync("which", [name], {
! [WARN] potential-exfiltration
openclaw/dist/skilify-worker.js:4
File read combined with network send (possible exfiltration)
! [WARN] potential-exfiltration
openclaw/dist/skillify-worker.js:4
(same — duplicated by the rename leftover)
Summary: 5 critical, 2 warn, 0 info
The same rule family triggered the previous round of fixes in b277e0b split shared fs+fetch modules; openclaw bundle now passes ClawHub static scan (2026-04-26). Since then:
The skillify worker (skill mining) was added, which legitimately needs child_process.execFileSync to call which <agent-binary> (detecting which CLI to delegate to). That alone is a hard dangerous-exec violation.
process.env.X reads were added in the same modules that fetch() to Deeplake — re-tripping env-harvesting for the second time in two months.
The skilify → skillify rename (Rename: skilify -> skillify (fix typo) #116) left the OLD skilify-worker.js chunk in the bundle alongside the new one, so the scanner sees the same violations TWICE.
Why this slipped through
npm run audit:openclaw is defined in package.json (line 41) but isn't wired anywhere:
Not in any .github/workflows/* (CI doesn't run it)
Not in .husky/ (pre-commit doesn't run it)
Not in the npm run ci lane
So whenever a new openclaw bundle pattern matches a ClawHub rule, nothing catches it locally or in CI — the violation merges, releases, publishes, and the real ClawHub scanner is the first thing that notices. Each round costs us the published listing.
Proposed fix (high level)
Wire audit:openclaw into the release workflow as a hard gate — fail the publish step on any [CRITICAL] finding. Anything caught at PR-checks time is cheaper than a takedown.
Delete the leftover openclaw/dist/skilify-worker.js — only skillify-worker.js should ship after the rename. Halves the violation count by removing the duplicate.
Address the legitimate patterns:
execFileSync("which", ...): openclaw is a gateway, not an agent CLI — the skillify worker still needs a delegate CLI to run gate calls. Options: (a) hand the path in via env at install time (no which lookup at runtime), (b) read /proc/*/comm instead of shelling out, (c) appeal to ClawHub to whitelist this exact call.
process.env.HIVEMIND_DEBUG + network in same module: same source-split treatment as b277e0b — pull the env read into a separate module that does no network.
process.env.HIVEMIND_SEMANTIC_LIMIT in openclaw/dist/index.js: ditto, or inline the value at build time via esbuild define (we already do this for several HIVEMIND_* env vars in esbuild.config.mjs:263-279).
Reach out to ClawHub for restoration — explain the patterns are legitimate (skill-mining gate delegation, debug-level logging knob, semantic-search limit knob), get the package un-removed.
Test plan
npm run audit:openclaw exits 0 (zero criticals, zero warns) on the fix branch
CI Release workflow includes a Run audit:openclaw step before Publish openclaw bundle to ClawHub, and that step fails on criticals
After landing + publish, ClawHub page for hivemind returns a valid package response again (or, if ClawHub doesn't auto-republish a removed package, file a manual restoration request and link the result here)
Untested / open questions
Whether ClawHub's scanner is the exact same rule set as scripts/audit-openclaw-bundle.mjs, or whether ours is a subset/superset. May need a round-trip with the ClawHub team to confirm.
Whether execFileSync for a fixed argument like "which" is policy-violating per se, or whether there's a sanctioned API to discover sibling binaries. If the latter, refactor; if the former, the skillify worker may need to live outside the openclaw bundle entirely.
Symptom
https://clawhub.ai/packages/hivemindreturns "This plugin does not exist or has been removed." Live as of 2026-05-15 (the day this issue is filed).CI publish workflow last reported
successonPublish openclaw bundle to ClawHubat the 0.7.26 release (2026-05-14T17:18 UTC), so the takedown happened after publish — i.e. ClawHub's post-publish moderation scan flagged the bundle and removed it.Root cause
Running
npm run audit:openclaw(the in-repo replica of ClawHub's static rules) against the current main's bundle shows 5 CRITICAL violations + 2 WARN:The same rule family triggered the previous round of fixes in
b277e0b split shared fs+fetch modules; openclaw bundle now passes ClawHub static scan(2026-04-26). Since then:child_process.execFileSyncto callwhich <agent-binary>(detecting which CLI to delegate to). That alone is a harddangerous-execviolation.process.env.Xreads were added in the same modules thatfetch()to Deeplake — re-trippingenv-harvestingfor the second time in two months.skilify → skillifyrename (Rename: skilify -> skillify (fix typo) #116) left the OLDskilify-worker.jschunk in the bundle alongside the new one, so the scanner sees the same violations TWICE.Why this slipped through
npm run audit:openclawis defined inpackage.json(line 41) but isn't wired anywhere:.github/workflows/*(CI doesn't run it).husky/(pre-commit doesn't run it)npm run cilaneSo whenever a new openclaw bundle pattern matches a ClawHub rule, nothing catches it locally or in CI — the violation merges, releases, publishes, and the real ClawHub scanner is the first thing that notices. Each round costs us the published listing.
Proposed fix (high level)
audit:openclawinto the release workflow as a hard gate — fail the publish step on any[CRITICAL]finding. Anything caught at PR-checks time is cheaper than a takedown.openclaw/dist/skilify-worker.js— onlyskillify-worker.jsshould ship after the rename. Halves the violation count by removing the duplicate.execFileSync("which", ...): openclaw is a gateway, not an agent CLI — the skillify worker still needs a delegate CLI to run gate calls. Options: (a) hand the path in via env at install time (nowhichlookup at runtime), (b) read/proc/*/comminstead of shelling out, (c) appeal to ClawHub to whitelist this exact call.process.env.HIVEMIND_DEBUG+ network in same module: same source-split treatment asb277e0b— pull the env read into a separate module that does no network.process.env.HIVEMIND_SEMANTIC_LIMITinopenclaw/dist/index.js: ditto, or inline the value at build time via esbuilddefine(we already do this for severalHIVEMIND_*env vars inesbuild.config.mjs:263-279).Test plan
npm run audit:openclawexits 0 (zero criticals, zero warns) on the fix branchReleaseworkflow includes aRun audit:openclawstep beforePublish openclaw bundle to ClawHub, and that step fails on criticalshivemindreturns a valid package response again (or, if ClawHub doesn't auto-republish a removed package, file a manual restoration request and link the result here)Untested / open questions
scripts/audit-openclaw-bundle.mjs, or whether ours is a subset/superset. May need a round-trip with the ClawHub team to confirm.execFileSyncfor a fixed argument like"which"is policy-violating per se, or whether there's a sanctioned API to discover sibling binaries. If the latter, refactor; if the former, the skillify worker may need to live outside the openclaw bundle entirely.