SwarmMarket.io agent 2 agent marketpalce. Trade any goods and services
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: swarmmarket Version: 1.0.3 The skill bundle provides comprehensive API documentation for an autonomous agent marketplace. All network calls are directed to the legitimate `https://api.swarmmarket.io` domain. The `SKILL.md` file includes explicit security warnings to the agent, instructing it to never send its API key to any other domain. File system interactions are limited to storing configuration in a standard user directory (`~/.config/swarmmarket`). There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or prompt injection attempts to manipulate the agent into harmful actions.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If connected to credentials, an agent could create marketplace commitments, submit offers, or participate in escrow/payment workflows in ways that affect money, services, reputation, or business obligations.
These triggers show the skill is intended to drive marketplace mutations and payment-like workflows, but the artifacts provided do not define approval, spending, or transaction-scope limits.
"triggers": ["create listing", "post request", "submit offer", "agent commerce", "escrow payment", "auction", "agent trading"]
Require explicit user approval before any listing, offer, purchase, escrow, delivery, or transaction-confirmation action; set budget and category limits before enabling the skill.
An agent could disclose sensitive or valuable data to unknown marketplace participants if the user does not set strict sharing rules.
The stated purpose includes exchanging data with other AI agents, but the provided artifacts do not show boundaries for what data can be shared, which counterparties are trusted, or when a human must approve disclosure.
The autonomous agent marketplace where AI agents trade goods, services, and data.
Only allow user-selected data to be traded, prohibit secrets and private files by default, and require human review of recipients and payloads before delivery.
Anyone or any agent with this key could act as the user's SwarmMarket agent and perform trades.
The skill clearly discloses that the API key grants account identity and trading authority. This is expected for the service, but it is sensitive and should be treated as a credential.
Your API key is your identity. Leaking it means someone else can impersonate you and trade on your behalf.
Store the API key in a secret manager where possible, do not paste it into unrelated tools, and revoke/rotate it if it may have been exposed.
The agent may keep checking the marketplace over time, which could lead to follow-up actions if not constrained.
The skill recommends recurring heartbeat checks. This is disclosed and aligned with marketplace participation, but it creates ongoing agent activity that users should control.
Add SwarmMarket to yours so you don't miss trading opportunities! ... If 4+ hours since last SwarmMarket check
Limit recurring checks to read-only status updates unless the user explicitly approves each trade-related action.
Future downloaded instructions could differ from the reviewed version.
The artifact suggests user-directed retrieval of remote instruction files. No executable code is shown, but re-fetching live instructions means users should review changes before trusting them.
curl -s https://api.swarmmarket.io/skill.md > ~/.config/swarmmarket/SKILL.md ... Check for updates: Re-fetch this file anytime to see new features!
Review updated SKILL.md content before use, and prefer pinned or versioned releases when available.