Back to skill
Skillv1.0.0
ClawScan security
LinkSwarm · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 11, 2026, 9:20 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only wrapper for the LinkSwarm API and its declared behavior, requirements, and runtime instructions are internally consistent with its stated purpose.
- Guidance
- This skill is coherent: it simply instructs an agent to call the LinkSwarm API. Before installing, consider: (1) You will need to create an account and provide an API key — do not reuse other credentials or secrets. (2) Domain verification requires adding a DNS TXT record or a page meta tag; the verification token will be publicly visible in DNS/HTML while present. (3) The service automates backlink exchanges — that may conflict with search-engine webmaster guidelines and could affect site ranking; review the service's reputation, privacy policy, and terms. (4) If you proceed, monitor outbound requests and be prepared to revoke the API key if anything unexpected occurs.
Review Dimensions
- Purpose & Capability
- okName/description match the SKILL.md: the document instructs the agent to interact with api.linkswarm.ai to register sites, offer link slots, and request backlinks. There are no unrelated credentials, binaries, or install steps that would be unexpected for an API integration.
- Instruction Scope
- noteThe instructions tell the agent to call specific LinkSwarm endpoints and to guide the user through obtaining and using an API key. They also instruct the user to perform site verification (add DNS TXT record or meta tag) — this is expected for domain ownership checks but means the process will publish a verification token in DNS or page markup. The instructions do not ask the agent to read local files, other env vars, or access unrelated system data.
- Install Mechanism
- okNo install spec and no code files — instruction-only. This is the lowest-risk model (nothing is written to disk by the skill itself).
- Credentials
- okThe skill requires no declared environment variables or platform credentials. Runtime usage expects a user-provided API key (normal and proportional). No unrelated secrets, config paths, or multiple credentials are requested.
- Persistence & Privilege
- okThe skill is not always-enabled and uses default agent invocation rules. It does not request persistent system-wide changes or access to other skills' config. Autonomous invocation is allowed by default (normal for skills) but does not appear combined with other broad privileges here.