Swarm Sprint
Security checks across malware telemetry and agentic risk
Overview
Swarm Sprint matches its git-worktree coding purpose, but its helper script runs shell commands built from task data and performs force cleanup, so it needs review before use.
Use only if you are comfortable letting the agent run local git and shell commands on the target repository. Keep a clean git state or backup, use trusted tasks.json files with simple task IDs, inspect the full scripts/swarm.js first, run plan-only or dry-run where possible, and review every diff before merging.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted task file or repository path could cause commands to run on the user's machine while the skill is creating worktrees.
Task IDs from tasks.json are embedded into a shell command executed through bash -c. Shell quoting here does not prevent command substitution or other crafted shell input, so a malicious or malformed task ID or path could execute unintended local commands.
const result = spawnSync('bash', ['-c', cmd], { ... }); ... const branchName = `swarm/${timestamp}-${task.id}`; ... run(`git worktree add "${worktreePath}" -b "${branchName}"`, repoPath);Use only trusted task files with simple slug IDs, inspect the script before running it, and replace bash -c string execution with argument-array spawn calls plus strict validation of task IDs and paths.
Cleanup could delete more than the intended generated worktree, or remove unmerged branch work, if task IDs or package data are unsafe.
The cleanup path is derived from task.id and is later force-removed, with an rm -rf fallback. Without strict validation that the path is a safe generated worktree path, cleanup can become destructive if task data is crafted or malformed.
const worktreePath = path.join(path.dirname(repoPath), `${path.basename(repoPath)}-swarm-${task.id}`); ... run(`git worktree remove "${wt.worktreePath}" --force`, repoPath); ... tryRun(`rm -rf "${wt.worktreePath}"`);Validate task IDs against a strict pattern, verify cleanup targets are under an expected directory, avoid rm -rf fallbacks, and ask for explicit confirmation before destructive cleanup.
Users may assume merge conflicts and overlapping work are safely prevented when the planner may miss conflicts or only approximate them.
The documentation presents conflict detection as reliable file-touch analysis, while the visible implementation uses keyword/domain heuristics from task descriptions. That can lead users to overtrust the planner.
SKILL.md: "flags tasks that would touch the same files, and serializes them automatically"; scripts/swarm.js: "likely touches based on keywords"
Treat the planner as a heuristic, manually review task/file overlap, and verify each diff and test run before merging.
Several agents may make code changes in parallel, increasing review burden and the chance of inconsistent changes.
The skill explicitly coordinates multiple autonomous coding agents that modify and commit code. This is disclosed and central to the purpose, but it is still high-impact behavior.
For each package, spawn a subagent ... Instruction to `git add -A && git commit` before reporting back ... Max 5 parallel agents
Use this only on repositories with clean git state, review every diff, and merge one branch at a time after tests pass.
Sensitive task details could persist in a local memory/log file if included in task descriptions.
The skill stores a persistent sprint log. This is disclosed, but task descriptions and outcomes may remain available to later agent runs or repository users.
Sprint log written to `memory/swarm-log.md`
Avoid putting secrets in sprint tasks and review or delete memory/swarm-log.md after use if it contains sensitive information.
A reviewer cannot verify all runtime behavior from the supplied source excerpt.
The provided artifact view does not include the complete helper script, even though the skill instructs users to run that script.
"truncated": true ... "...[truncated]"
Inspect the complete local scripts/swarm.js before running the skill, especially because it has shell and cleanup authority.