OpenClaw Agent Swarm

The skill's visible instructions ask you to install global npm packages and to store API keys in a specific file, but the registry metadata declares no installs, no required environment variables, and no source/homepage — those mismatches and the undocumented npm installs are concerning.

Do not run the npm -g commands or create the ~/.openclaw workspace until you clarify provenance and required permissions. Ask the publisher for: (1) a source repository or homepage and package links so you can inspect the npm packages and their maintainers; (2) an explicit list of required environment variables and tokens (e.g., OpenAI/Anthropic API keys, Git tokens) and why each is needed; (3) how PR creation and agent actions are authorized and which repositories will be accessed. If you must test, do so in a sandbox: avoid global npm installs (use an isolated container or node environment), do not store real high-privilege keys in plaintext under your home (use least-privilege tokens and a secrets manager or ephemeral keys), and review package code before installing. The lack of declared requirements and absence of a source/homepage are the main red flags.