swarma - growth loops

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed growth-experiment helper skill; its main risk is careful handling of the required OpenRouter API key and the external CLI it installs.

Install only if you are comfortable using the external swarma CLI and OpenRouter for growth experiments. Use a restricted OpenRouter key, avoid pasting real keys into tracked config files or shared shell history, review metrics before importing sensitive business data, and run MCP/REST or continuous modes only when you know how to stop and restrict them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs users to place a live API key directly into `.mcp.json`, YAML config, and shell commands, which encourages storing secrets in plaintext files and shell history. This increases the chance of accidental disclosure through source control, shared configs, screenshots, backups, or multi-user system access, especially because the skill explicitly targets terminal/MCP workflows where config files are commonly reused.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal