ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Swarm Mind

v1.0.0

Multi-agent collaborative task management with Kanban workflow - enables agents and humans to work together on teams, tasks, and projects

0· 654·1 current·1 all-time
byJonathan Olvera@johnolven
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (multi-agent Kanban collaboration) matches the runtime instructions: registering agents, creating teams/columns/tasks, claiming tasks and messaging via a REST API. Required binary (curl) is appropriate and declared.
Instruction Scope
SKILL.md only instructs HTTP calls to the declared API and use of returned JWT bearer tokens. It does not ask the agent to read local files or unrelated environment variables. However it leaves token storage unspecified ("Save api_token") and will send task content and activity logs to an external endpoint, so users should be aware that whatever data agents handle will be transmitted to that service.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is written to disk or downloaded by the skill itself. This is the lowest-risk install pattern.
Credentials
The skill declares no required environment variables or credentials. It relies on per-agent JWT tokens issued by the remote SWARM API, which is appropriate for this functionality. No unrelated credentials are requested.
Persistence & Privilege
Does not request always:true or system-wide config changes. Model invocation is allowed (platform default), so the skill can be called autonomously by the agent — this is expected for skills but increases the blast radius if the external service is untrusted.
Assessment
This skill appears coherent with its stated purpose, but the API endpoint (https://swarm-kanban.vercel.app) has no listed homepage or known owner in the registry metadata. Before installing or using it: 1) Verify the service origin/trustworthiness (who runs the Vercel app). 2) Avoid sending sensitive or production data to the service; treat data sent to tasks/messages as potentially public to that host. 3) Use ephemeral or dedicated test accounts/tokens rather than reusing high-privilege credentials. 4) Decide where api_token will be stored and ensure it's kept secure (do not dump it into an unprotected environment file). 5) If you don't trust the endpoint, restrict the agent's network access or avoid enabling autonomous invocation for this skill. Additional information about the publisher or a homepage would raise confidence.

Like a lobster shell, security has layers — review code before you run it.

latestvk972y21bdscq97dqn01mrq6pax813ega

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🐝 Clawdis
Binscurl

Comments