ClawHub

Claude Swarm

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate multi-agent coding tool, but it gives background agents broad unattended authority to install dependencies, change code, push branches, and potentially push directly to main.

Install only if you intentionally want autonomous Claude Code agents to modify, commit, push, review, and integrate repository code. Before use, set SWARM_AUTO_MERGE=false, remove or gate automatic dependency installs, avoid bypassPermissions unless you deliberately accept that risk, run on a fork or disposable branch, verify active git/GitHub/Claude credentials, disable external notifications unless needed, and monitor/stop the tmux watcher processes. Static scan was clean and VirusTotal was pending, so this Review verdict is based on artifact-backed autonomy and repository-impact concerns, not malware telemetry.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (22)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises and instructs shell-based orchestration actions but does not declare permissions, which can cause users or hosting systems to underestimate the level of access and automation involved. In this context, the missing declaration is risky because the skill drives git, tmux, notifications, and agent spawning with bypassed permissions, increasing the chance of unintended execution under insufficient review.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose understates materially risky behavior such as automatic dependency installation, PR creation, branch deletion, force-pushes, direct pushes to main, external notifications, and Claude-driven conflict resolution. This mismatch is dangerous because operators may invoke the skill expecting coordination help, while it can perform destructive repository operations and transmit data externally without prominent disclosure.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script is named and described as a completion notifier, but after detecting completion it autonomously invokes a powerful coding agent to review, modify, and potentially commit code, then pushes the branch. This expands the script's authority far beyond notification and creates an unattended code-changing pathway that can alter repository state without explicit human approval.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The reviewer is launched with bypassPermissions and is explicitly instructed to fix issues directly, commit, and push. That removes normal safety gates for a model operating on a live repository, increasing the chance of unauthorized, unsafe, or prompt-influenced changes being applied automatically.

Intent-Code Divergence

Low
Confidence
85% confidence
Finding
The script claims to get a diff for review, but only passes git diff --stat output while still authorizing direct fixes to the branch contents. This gives the model insufficient context to safely judge or modify code, increasing the risk of incorrect changes, missed security issues, or edits outside the real intent of the task.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The runner invokes `claude` with `--permission-mode bypassPermissions`, which suppresses normal safety/approval controls and gives the spawned agent broad autonomous capability inside the repository and host environment. In this skill's context, the prompt also instructs the agent to commit, push, and open a PR, so bypassing permissions materially increases the chance of unauthorized code changes, data access, or external actions without an explicit user checkpoint.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script automatically runs `pip install`, `yarn install`, or `npm install` based on repository contents before spawning the agent. Dependency installation executes code-adjacent package lifecycle behavior and pulls untrusted third-party content, which exceeds simple orchestration and can trigger arbitrary script execution or environment modification in a repository the user only intended to inspect or coordinate.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The appended prompt directs the spawned agent to commit changes, push a branch, and create a pull request automatically. Those are write and network actions beyond mere agent spawning/orchestration, and in combination with autonomous execution they can publish unintended code, secrets, or malicious changes to a remote repository without a human review gate.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The script unconditionally calls endorse-task.sh for every task before spawning agents, which defeats any claimed endorsement or approval gate. In a multi-agent coding/orchestration context, this removes a key trust boundary and can allow unreviewed or unsafe tasks to be executed at scale, increasing the chance of harmful code changes or workflow abuse.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Very broad trigger phrases like 'parallel coding' or '2+ coding tasks' can cause the skill to activate in situations where the user did not intend to authorize heavy automation. Given this skill's ability to spawn agents, modify repositories, and send notifications, accidental invocation raises the likelihood of unintended code changes or external data disclosure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill describes endorsement, spawning, review, and integration automation without a clear warning that branches may be merged, rewritten, deleted, or pushed to protected remotes. In a repository-management skill, omission of destructive-operation warnings is especially dangerous because users may assume standard coding assistance rather than autonomous VCS mutation across multiple branches.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The notification section mentions webhook and Telegram delivery but does not clearly warn that project metadata, task status, branch names, or other sensitive context may be sent to third-party services. In this skill, external notifications are part of automated workflows, so absent privacy disclosure and data-minimization guidance can lead to unintentional leakage of internal development information.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script performs destructive cleanup operations, including recursive deletion of worktree directories, tmux session termination, and optional local and remote branch deletion, without any interactive confirmation, dry-run mode, or strong guardrails. In a multi-agent orchestration context where automation may be triggered frequently, a mistaken project path or accidental use of --all can cause irreversible loss of work and disruption across local and remote repositories.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script delegates merge-conflict resolution to Claude with bypassed permissions and instructs it to stage and commit changes automatically, with no human review gate before the result becomes part of the integration branch. In this skill's context, the risk is elevated because the conflict content can include adversarial or malformed code from multiple branches, and the automation can silently accept incorrect, insecure, or policy-violating resolutions that are later pushed to main.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The script can push directly to origin/main by default via SWARM_AUTO_MERGE=true, without mandatory confirmation, protected-branch checks, or reviewer approval. In a multi-agent orchestration workflow, this is especially dangerous because upstream automated merges and AI-generated fixes may already be untrusted, so a final automatic push creates a direct path for faulty or malicious code to reach the primary branch.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script automatically pushes branch state after the autonomous review loop, including a force-with-lease attempt, without any explicit confirmation or warning in the script itself. In a multi-agent orchestration context, this can overwrite remote history or publish unintended AI-generated changes without human review.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script can exfiltrate arbitrary message content to a configured webhook or Telegram chat without any validation, minimization, or user-facing disclosure at send time. In a multi-agent coding/orchestration context, notification messages may contain file paths, task details, commit data, errors, or other sensitive project information, making silent outbound transmission a real confidentiality risk.

Missing User Warnings

High
Confidence
97% confidence
Finding
The script not only bypasses permission checks but also provides no explicit runtime warning or consent prompt to the user before doing so. In a multi-agent orchestration skill, hidden elevation is especially dangerous because users may assume agents remain sandboxed while the process can modify files, invoke tools, and perform network-affecting actions autonomously.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Automatically installing dependencies occurs without meaningful notice or confirmation, yet package installation can execute lifecycle scripts and alter the local environment. In this skill, where projects may be arbitrary repositories handled by spawned agents, that creates avoidable exposure to untrusted code execution and supply-chain risk.

External Transmission

Medium
Category
Data Exfiltration
Content
case "$NOTIFY" in
  webhook)
    if [ -n "${SWARM_WEBHOOK_URL:-}" ]; then
      curl -s -X POST "$SWARM_WEBHOOK_URL" \
        -H "Content-Type: application/json" \
        -d "{\"text\": \"$MSG\"}" 2>/dev/null || true
    fi
Confidence
92% confidence
Finding
curl -s -X POST "$SWARM_WEBHOOK_URL" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
;;
  telegram)
    if [ -n "${SWARM_TELEGRAM_BOT_TOKEN:-}" ] && [ -n "${SWARM_TELEGRAM_CHAT_ID:-}" ]; then
      curl -s "https://api.telegram.org/bot${SWARM_TELEGRAM_BOT_TOKEN}/sendMessage" \
        -d "chat_id=${SWARM_TELEGRAM_CHAT_ID}" \
        -d "text=${MSG}" \
        -d "parse_mode=Markdown" 2>/dev/null || true
Confidence
90% confidence
Finding
curl -s "https://api.telegram.org/bot${SWARM_TELEGRAM_BOT_TOKEN}/sendMessage" \ -d "chat_id=${SWARM_TELEGRAM_CHAT_ID}" \ -d "text=${MSG}" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
;;
  telegram)
    if [ -n "${SWARM_TELEGRAM_BOT_TOKEN:-}" ] && [ -n "${SWARM_TELEGRAM_CHAT_ID:-}" ]; then
      curl -s "https://api.telegram.org/bot${SWARM_TELEGRAM_BOT_TOKEN}/sendMessage" \
        -d "chat_id=${SWARM_TELEGRAM_CHAT_ID}" \
        -d "text=${MSG}" \
        -d "parse_mode=Markdown" 2>/dev/null || true
Confidence
90% confidence
Finding
https://api.telegram.org/

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal