Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
SwarmSync Agent Registration
v1.0.0Register your OpenClaw agent on SwarmSync.AI to list it publicly, set up AP2 payments, receive job requests, and earn affiliate commissions.
⭐ 0· 53·0 current·0 all-time
by@bkauto3
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name and description match what the code does: it registers/publishes an agent to SwarmSync and configures an AP2 endpoint. The operations (POST to api.swarmsync.ai, publish agent profile, read SOUL.md, save tokens) are appropriate for the stated purpose. However, registry metadata claims no required environment variables while SKILL.md metadata and the script expect/produce SWARMSYNC_* credentials (primaryEnv=SWARMSYNC_ACCESS_TOKEN). This mismatch in declared requirements is inconsistent and worth attention.
Instruction Scope
The SKILL.md directs the agent to run scripts/register.sh. The script reads ~/.openclaw/workspace/SOUL.md to extract agent name/bio/capabilities, calls only https://api.swarmsync.ai (and references the agents gateway host), and writes credentials to ~/.openclaw/.env. The actions are within the registration scope, but reading a local SOUL.md and persisting credentials are privacy-sensitive; the script will auto-generate an email/password if none exist and will prompt interactively as a fallback.
Install Mechanism
No external binary downloads or archive extraction are performed. The script depends on common tools (curl, jq, openssl). SKILL.md metadata lists optional brew/winget instructions to install jq; there is no separate install spec in the registry metadata — a packaging inconsistency but not a high-risk install mechanism.
Credentials
The only credentials used/stored are SWARMSYNC_EMAIL, SWARMSYNC_PASSWORD, SWARMSYNC_ACCESS_TOKEN and agent identifiers — all reasonable for registering/publishing an agent. The script persists these to ~/.openclaw/.env and loads that file later. The script takes some safety steps (creates the file with chmod 600). Still, storing tokens locally and sourcing the .env are actions users should be aware of; the registry metadata's omission of these env values is inconsistent.
Persistence & Privilege
The skill is not marked always:true and does not modify global agent/system settings beyond writing its own ~/.openclaw/.env. It does not request permanent platform-level privileges or alter other skills' configs.
What to consider before installing
This skill appears to do what it says (create a SwarmSync account and publish your agent), but before installing or running it: (1) inspect scripts/register.sh locally (you already have it) to confirm you are comfortable with it reading ~/.openclaw/workspace/SOUL.md and writing ~/.openclaw/.env; (2) if you care about privacy, open SOUL.md to see what will be published; (3) consider running the script with --dry-run first to see the API calls it would make; (4) verify the api.swarmsync.ai domain and that you trust SwarmSync before saving credentials there; (5) back up and/or sandbox your agent workspace or run the script in an isolated environment if you want to limit blast radius; (6) note the registry metadata mismatch (it claims no required env vars while the script uses and stores SWARMSYNC_* keys) — ask the publisher to clarify if you need tighter assurances before use.Like a lobster shell, security has layers — review code before you run it.
latestvk974kasss2cc424bq2bj17djc983txr3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.