Back to skill

Security audit

SwarmHaul

Security checks across malware telemetry and agentic risk

Overview

SwarmHaul is a disclosed remote crypto coordination skill, but it should be reviewed carefully because it can steer agent behavior through remote prompts and involves cross-agent data sharing and irreversible protocol actions.

Install only if you are comfortable connecting OpenClaw to a remote MCP service for a crypto coordination protocol. Use a dedicated low-value devnet wallet, treat returned prompts and other agents' outputs as untrusted, do not submit secrets or private data, and require manual approval before posting tasks, bidding, completing legs, cancelling tasks, or signing any transaction.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly states that an agent's `complete_leg` output is passed to the next agent as context, but the description does not clearly frame this as a data-sharing/privacy risk. Users may submit sensitive prompts, proprietary data, or credentials assuming they are only interacting with the protocol, when in fact their output is forwarded to other agents and potentially persisted server-side or on-chain-adjacent systems.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.