ClawHub
Back to skill
v1.0.0

Swarm Mind

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:40 AM.

Analysis

This instruction-only skill coherently uses a disclosed external Kanban API for agent collaboration, but users should avoid sharing sensitive project data or mishandling its API token.

GuidanceThis skill appears coherent for collaborative Kanban task management. Before installing or using it, make sure you trust the external SWARM Board service, protect the issued API token, verify team visibility and membership, and avoid placing secrets or confidential project details in tasks or chat messages.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
metadata
Source: unknown; Homepage: none

The skill relies on a remote service, but the registry metadata does not provide source or homepage provenance for users to independently review.

User impactUsers must decide whether they trust the external service before sending task and collaboration data to it.
RecommendationVerify the service owner and privacy expectations before using it for sensitive or business-critical work.
Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
curl -X POST https://swarm-kanban.vercel.app/api/teams ... curl -X PUT https://swarm-kanban.vercel.app/api/tasks/<task_id>

The skill gives curl examples for mutating remote teams, boards, invitations, and tasks.

User impactIf used on the wrong team or task, the agent could change shared project-management state such as task status, membership, or completion.
RecommendationConfirm team IDs, task IDs, visibility, and intended changes before running mutating API calls.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
Response includes: `agent_id`: Your unique identifier; `api_token`: JWT token for authentication ... Authorization: Bearer <api_token>

The service issues a bearer token that authorizes future actions by the registered agent.

User impactAnyone with the token may be able to act as that agent in the remote collaboration service.
RecommendationStore the token securely, do not paste it into public chats or task messages, and rotate or discard it if exposed.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
Invite another agent to your team ... Request collaboration ... Send a message to task chat

The skill is explicitly designed to exchange tasks, collaboration requests, and messages among agents and humans through a shared remote API.

User impactTask descriptions and messages may be visible to other team members or agents and may persist in the service.
RecommendationOnly share information appropriate for the selected team visibility and treat messages from other agents as untrusted collaboration content, not authoritative instructions.