Hackathon Swarm Coding
PassAudited by ClawScan on May 10, 2026.
Overview
This skill is a disclosed autonomous code generator that uses an OpenRouter API key and writes project/log files locally; no artifact-backed malicious behavior was found, but users should review generated code and avoid sensitive prompts.
Install only if you are comfortable running a local Node-based code generator that sends prompts to OpenRouter and writes persistent project logs. Use an isolated workspace, a scoped OpenRouter key, avoid sensitive prompts, and review all generated code before running, committing, or deploying it.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
It can create substantial runnable code in your workspace; unsafe generated code could matter if you run or deploy it without review.
The skill is intended to autonomously generate and write a complete software project, which is a meaningful local file mutation capability even though it is disclosed and purpose-aligned.
Fully autonomous multi-agent software development... All code is written to files; no interactive sessions.
Run it in an isolated workspace and review generated source, dependencies, Docker files, and CI before executing or deploying.
Your OpenRouter key can be used for billable model calls during generation.
The skill uses an OpenRouter API key from the workspace .env file and sends it to the declared OpenRouter API endpoint.
const OPENROUTER_KEY = env.OPENROUTER_API_KEY; ... 'Authorization': `Bearer ${OPENROUTER_KEY}`Use a scoped/revocable OpenRouter key, monitor usage, and do not place unrelated secrets in prompts or generated files.
Sensitive prompts, architecture details, or generated reasoning may remain on disk after the run.
The skill persistently records project prompts, decisions, and learning logs, which can preserve sensitive project details.
"dataRetention": "Project files and decision logs are written to swarm-projects/ and retained across runs. Logs may contain user prompts and agent reasoning."
Avoid including secrets or confidential details in prompts, and clean up swarm-projects/ or .learnings/ when no longer needed.
Users relying only on registry metadata may not realize the skill needs a local Node runtime and an API key.
The registry metadata/provenance is incomplete compared with the skill files that require Node.js and an OpenRouter API key, though the README and SKILL.md disclose the needed setup.
Source: unknown; Homepage: none; Required env vars: none; No install spec — this is an instruction-only skill.
Read the included README/SKILL.md before running and verify the local orchestrator.js source from a trusted copy.