ClawHub
Back to skill

Security audit

Swarm Workflow Protocol

Security checks across malware telemetry and agentic risk

Overview

This is a coherent multi-agent workflow skill, but it gives agents broad relay, logging, and autonomous execution instructions while documenting a reusable relay token and too little data-handling control.

Review before installing. Use only in a trusted local environment, replace the documented relay token with a unique secret, restrict webhook and cron intake to approved sources, and add clear rules for user approval, redaction, log retention, and what data agents may relay or persist.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The README includes a hardcoded relay authentication token in a copy-pasteable example, which encourages users to deploy or reuse a shared secret in plaintext. Even if intended as a local demo value, publishing authentication material in documentation normalizes insecure secret handling and can lead to unauthorized access if the same token is used in real environments.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The document exposes a hard-coded relay authentication token, which can be reused by anyone with access to the skill file to send or fetch messages from the relay service. Even though the endpoint is localhost, this is still dangerous in an agent environment because any local process, plugin, or compromised agent could abuse the secret for spoofing, message theft, or workflow manipulation.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The example shows an authenticated request containing a hardcoded secret but gives no warning about credential exposure, secret rotation, or safe storage. In a multi-agent orchestration context, relay authentication likely governs message injection and task routing, so weak documentation practices can directly enable misuse of the control plane.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The protocol defines webhook-driven intake, continuous updates, and persistent logging/audit behavior without warning about data sensitivity, retention, or user consent. In practice, this can lead operators or agents to collect and store sensitive task content by default, increasing privacy, compliance, and insider-exposure risk.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The skill provides concrete local HTTP endpoints and auth usage instructions but does not warn that task data and agent messages may be transmitted to a local service and persisted. In a multi-agent environment, 'localhost' is not inherently private, so this omission can cause unintended disclosure to other local users, processes, or monitoring tools.

Ssd 3

Medium
Confidence
83% confidence
Finding
The protocol's emphasis on continuous information flow and agent-driven operation encourages broad sharing of task details across agents and logs without any classification or need-to-know limits. That increases the chance that sensitive inputs, credentials, personal data, or proprietary material will be propagated more widely than necessary.

Ssd 3

Medium
Confidence
84% confidence
Finding
Requiring continuous updates to a human and logged handoff details without scoping content creates a default pattern of copying task material into status channels and persistent records. This can expose sensitive information beyond the original execution context and make later compromise or misuse more damaging.

Ssd 3

Medium
Confidence
89% confidence
Finding
The combination of audit-log requirements and 'log only' handling encourages retention of entire agent communications, including raw payloads that may contain secrets, personal data, or internal reasoning. Persistent comprehensive logs materially enlarge the attack surface and forensic blast radius if the local environment or relay is compromised.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal