Credit Mastery
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is mostly a Swarms API guide, but it covers wallet-private-key blockchain actions and autonomous multi-agent tooling without enough credential declarations or safety boundaries.
Before installing, confirm this is really the Swarms AI skill despite the “Credit Mastery” registry name. Do not use a main Solana wallet private key; use a dedicated low-balance/test wallet and require explicit approval for any token launch, ATP payment, marketplace publishing, autonomous sub-agent run, or file-operation workflow.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
No VirusTotal findings for this skill version.
- Malicious
- 0
- Suspicious
- 0
- Harmless
- 0
- Undetected
- 64
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user expecting a credit-related skill may instead enable guidance for Swarms agents, Solana token launches, and payment flows.
The supplied registry identifies the skill as “Credit Mastery” / `credit-mastery`, while the actual skill frontmatter identifies it as `swarms-ai`; that mismatch can mislead users about what they are enabling.
name: swarms-ai description: Build and orchestrate multi-agent AI systems using the Swarms API.
Confirm the publisher intended this package identity and rename or republish it so the registry name, slug, and skill purpose match.
Using a real wallet private key could expose funds or authorize irreversible blockchain-related actions if the endpoint, workflow, or generated code is misused.
The skill documents sending a Solana wallet private key for token launch operations that cost funds and create marketplace/blockchain effects, while the registry metadata declares no primary credential.
`private_key` | string | Solana wallet key (JSON array, base64, or base58) ... Cost: ~0.04 SOL per token launch
Use only a dedicated low-balance or testnet wallet, verify the Swarms endpoint and fees independently, and require explicit user approval before any wallet-key or token-launch request.
Autonomous swarms may consume API credits, spawn additional work, or produce outputs outside the user’s immediate oversight.
The skill documents autonomous loops and fire-and-forget sub-agent delegation, which can continue agent activity without waiting for completion or a clear user review point.
`max_loops`: `"auto"` (enables autonomous agent loop) ... `wait_for_completion: false` — fire-and-forget
Prefer fixed `max_loops`, avoid fire-and-forget delegation unless necessary, set explicit budgets/timeouts, and require approval before creating sub-agents or launching long-running workflows.
If connected to a meaningful workspace, generated agents could read, change, or delete files beyond what the user intended.
Autonomous-mode agents are documented as having file read/list/write/delete tools, but the artifacts do not define path boundaries, confirmation requirements, or what filesystem/workspace those tools can affect.
`create_file` / `update_file` / `read_file` / `list_directory` / `delete_file` — file ops
Restrict `selected_tools`, disable delete/read/list tools unless needed, and document the exact workspace/path limits and approval requirements.
Prompts, task data, and authorization headers may be exposed to the MCP server a user configures.
The skill supports connecting agents to arbitrary MCP servers with bearer authorization headers, which is expected for tool integration but crosses a sensitive trust boundary.
`mcp_config`: { `url`: `https://your-mcp-server.com`, `headers`: {"Authorization": "Bearer ..."} }Connect only to trusted MCP servers, use least-privilege tokens, and avoid sending secrets or private data through untrusted tool endpoints.
Installing an unverified or typosquatted package could affect the local environment.
The skill recommends installing an external SDK without a pinned version. This is normal for an API guide, but users should still verify package provenance.
Python SDK: `pip install swarms-client`
Install from the official package source, consider pinning versions, and verify the package name and publisher before use.