Skillv1.0.0

ClawScan security

openclaw skill for swarms ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 27, 2026, 1:07 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose (orchestrating multi-agent swarms) mostly matches its instructions, but there are several unexplained and risky gaps — notably missing declared credentials (API keys, Solana private keys) and instructions that enable autonomous sub-agents and file operations which could expose secrets.
Guidance: Before installing or enabling this skill, get answers to these questions: (1) Which credentials does the skill actually require? The examples use x-api-key and Solana private keys but the metadata lists none — the publisher should declare required env vars and their minimum privileges. (2) Never paste or upload mainnet private keys into requests; ask for alternatives (ephemeral/test wallets, delegated signing/custody, or a signing service). (3) Confirm whether agents/sub-agents can access your host filesystem or other agent credentials — if so, restrict or disable "max_loops: \"auto\"" and file operation tools unless absolutely necessary. (4) Verify the API endpoints and publisher (source/homepage are missing); only use limited-scope API keys and testnet tokens until you trust the service. If the publisher cannot justify the missing credential declarations and the choice to send private keys in requests, treat the skill as risky and avoid installing or using autonomous modes.

Review Dimensions

Purpose & Capability: noteThe name/description match the content: the SKILL.md documents Swarms API endpoints, swarm architectures, streaming, marketplace token launches, and sub-agent delegation — all coherent with a 'swarms' orchestration skill. However, the examples rely on an API key (x-api-key) and Solana wallet private keys, yet the registry metadata declares no required environment variables or primary credential. That mismatch (declaring no credentials while the instructions require API keys and wallet keys) is unexplained and should be clarified.
Instruction Scope: concernThe runtime instructions include examples that embed/submit highly sensitive material (Solana private_key in JSON payload; wallet private keys in ATP headers) and describe enabling autonomous modes (max_loops: "auto") with internal tools that include create_file/read_file/list_directory/delete_file and create_sub_agent/assign_task. While the skill does not directly instruct reading local host files, the documentation exposes mechanisms that — if used — could cause agents to create sub-agents, perform file operations, and transmit data. The ATP flow also describes sending wallet keys in requests. These instruction-level choices broaden the attack surface and are not scoped or limited in the skill metadata.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files — lowest install risk. Nothing is written to disk by the skill itself.
Credentials: concernExamples and reference docs clearly require an API key (x-api-key / Authorization: Bearer) and—in marketplace/token launch and ATP—Solana wallet private keys or wallet_private_key headers. Yet requires.env and primary credential are empty. Requesting wallet private keys inside API requests is high-risk and should have explicit handling guidance (never store/log, use ephemeral/test keys, use signing services or delegated custody). The skill asks for sensitive secrets in-band without declaring them in metadata or advising safer alternatives.
Persistence & Privilege: notealways:false and no install means the skill won't be force-installed. However, the docs encourage configurations that enable autonomous loops (max_loops: "auto") and internal tools that can spawn sub-agents and perform file ops. Combined with agent autonomy (model invocation not disabled), this can enable long-running autonomous behaviors that interact with external systems and files — a legitimate capability but one that raises the blast radius if misused. The skill does not request persistent privileges itself, but usage patterns it documents can grant broad runtime powers.