LinkSwarm API
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a coherent LinkSwarm API guide, but it gives agents authority to create and manage public backlink placements and autonomous webhooks without clear approval or scope limits.
Install only if you are comfortable letting an agent manage LinkSwarm backlink activity for specific approved domains. Before use, set explicit limits for allowed domains, credit spending, contribution slots, webhook events, and require confirmation before public link placements are requested or accepted.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could spend credits or cause public backlink placements for user domains without enough user review.
These are high-impact account and public-web actions, but the skill does not define approval requirements, allowed domains, spending limits, or safe rollback procedures.
- Register domains with LinkSwarm network - Request backlinks (costs credits) - Contribute link slots (earns credits)
Require explicit user confirmation for each domain, backlink request, contribution slot, and credit-spending action; use allowlists and keep a record of changes.
Anyone or any agent with this key may be able to act on the user's LinkSwarm account.
The skill expects a LinkSwarm API key even though the registry metadata lists no primary credential or required environment variable. This is expected for the API, but users should understand the credential grants account access.
Add to your agent's auth-profiles.json or environment:
{
"linkswarm": {
"api_key": "sk_linkswarm_..."
}
}Store the key only in a trusted credential store, restrict its scope if the provider supports it, and rotate it if exposed.
If webhook events are spoofed or over-trusted, an agent could react to false placement or credit notifications.
The skill documents callbacks into an agent endpoint, but does not describe webhook signing, sender verification, replay protection, or how event data should be trusted.
POST /v1/webhooks
{
"url": "https://your-agent.com/webhook",
"events": ["link.placed", "link.verified", "credits.low"]
}Use signed webhooks or a shared secret, verify sender identity, and avoid letting webhook events trigger further actions without validation.
The agent may continue receiving placement and credit events over time, which could lead to ongoing actions if paired with automation.
Autonomous operation is disclosed and relevant to the service, but persistent callbacks can keep influencing an agent after initial setup if not bounded.
Set up webhooks for autonomous operation
Enable webhooks only for domains and events the user approves, document how to disable them, and require confirmation before webhook-triggered changes.
A user may let the agent participate in backlink exchanges without understanding possible SEO or reputation consequences.
The skill promotes backlink exchanges as looking natural to search engines but does not disclose reputation, policy, or search-ranking risks of automated backlink schemes.
- **Non-reciprocal matching** - Links look natural to search engines
Add clear warnings about public-site, reputation, and search-policy risks, and require user approval before creating or accepting link placements.