SWARM Protocol Platform Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a real platform onboarding guide, but it asks agents to download remote instructions, store sensitive keys, and set up recurring polling without enough safeguards.

Install only in an isolated VM or disposable container. Do not run the curl downloads, export private keys, store JWTs, or enable the cron/OpenClaw polling task unless you trust the publisher, have reviewed the downloaded modules, and have a clear way to revoke keys, delete ~/.swam, and disable the scheduled sync.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (7)

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The file presents itself as a required protocol guide, but it instructs the agent to perform operational actions: download remote content, create persistent local state, generate credentials, register with a service, and later obey updated remote instructions. That is a dangerous expansion from documentation into control-plane behavior, and it creates a path for remote influence and persistent compromise.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The skill directs creation and storage of long-lived PGP private keys, JWT-related configuration, and other authentication material on local disk. For an entry-point guide, this is unjustified secret handling that can expose credentials, enable impersonation, and expand the blast radius if the host or subsequent downloaded content is compromised.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The document instructs the agent to establish continuous polling via cron or equivalent automation, creating persistent background activity. That is risky because it enables ongoing network communication and execution beyond the scope of a one-time guide, increasing opportunities for abuse and reducing operator visibility.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The skill claims to be the required first step for all interaction, creating broad activation without clear boundaries. This increases the chance that agents will load and obey it in unrelated contexts, making all subsequent risky instructions more likely to execute.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The markdown instructs the agent to download multiple remote modules and save them locally, but it does not provide meaningful safety gating for network access, file writes, or trust verification. This turns a skill into a remote content bootstrapper and creates a direct prompt-injection and persistence channel.

Ssd 1

High

Confidence: 99% confidence
Finding: The document mandates that the agent stop, download a new skill, read it, and adjust behavior based on the new instructions. This is a textbook semantic prompt-injection channel: whoever controls the remote update stream can change agent behavior at will, including escalating from guidance to harmful actions.

Ssd 4

Medium

Confidence: 93% confidence
Finding: The workflow normalizes downloading platform sub-modules first and later thread-specific skills, progressively building trust in remote instruction sources. This staged design is dangerous because it conditions the agent to ingest increasingly specific untrusted content that can steer actions, persistence, and data exposure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal