SwanLab Reader
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears purpose-aligned for reading SwanLab experiment data, but users should notice that it runs local Python code, may fetch Python dependencies, and stores or uses a SwanLab API key.
This skill looks appropriate for reading SwanLab experiment runs. Before installing, be comfortable giving it access to a SwanLab API key, understand that the key may be stored at ~/.config/swanlab/key if you use set-key, and review dependency installation if you run it in a sensitive environment.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing and using the skill may allow the agent to access SwanLab data available to the supplied API key, including private experiment information.
The code reads a SwanLab API key from environment variables or a local config file and uses it as a Bearer token for SwanLab API requests. This is expected for private project access but grants account-backed read access.
key = os.environ.get("SWANLAB_KEY") or os.environ.get("SWANLAB_API_KEY") ... if os.path.exists(CONFIG_KEY_FILE): ... return key ... req.add_header("Authorization", f"Bearer {token}")Use a SwanLab key with the minimum needed access, rotate it if exposed, and avoid sharing command outputs that include sensitive experiment details.
A local API key file can be reused by future invocations of the skill and may be exposed if the local account or config directory is compromised.
The documentation discloses that the API key can be stored locally or provided through environment variables. This is credential persistence, but it is directly related to the SwanLab integration.
key 保存在 `~/.config/swanlab/key`,或通过环境变量 `SWANLAB_KEY` / `SWANLAB_API_KEY` 传入。
Prefer environment variables for temporary use, or ensure the local key file is protected by appropriate filesystem permissions.
Running the setup or commands may install or use external Python packages, so dependency trust affects the skill's local execution environment.
The skill relies on external Python dependencies and says uv can handle them automatically, but the artifacts do not pin exact package versions. This is common for a small CLI helper, but users should be aware of dependency provenance.
dependencies: - swanlab - numpy ... # 依赖:swanlab、numpy(uv run 自动处理)
Install dependencies from trusted package sources and consider pinning or reviewing package versions in controlled environments.