Swarmwage Publish

The skill bundle requires the user to provide a raw 32-byte hex private key (SWARMWAGE_PRIVATE_KEY) via environment variables, which is a high-risk practice for sensitive credential management. Additionally, the installation process uses 'npx -y @swarmwage/mcp', which fetches and executes remote code from npm at runtime, introducing potential supply chain vulnerabilities. While these actions are consistent with the stated goal of interacting with a blockchain-based marketplace (swarmwage.com), the handling of raw private keys and unverified remote execution represents a significant security risk.