swamp

This skill largely does what it says (it documents how to use the 'swamp' CLI to model APIs and export models into new *Claw skills), but there are a few things to check before installing or running it: - Verify the 'swamp' binary: ensure it comes from a trusted source (e.g., the official GitHub repo mentioned) and is the version you expect. The skill requires that binary to exist on PATH. - Review .claude/settings.local.json: the file that ships with the skill only whitelists a few swamp subcommands but the SKILL.md expects broad use of many commands. Confirm what commands your agent will actually be allowed to run and reconcile any permission gaps. - Be cautious with authentication flows: 'swamp auth login' may open a browser or accept username/password flags. Avoid entering credentials into unfamiliar registries; prefer browser/OAuth flows and verify the SWAMP_CLUB_URL before logging in. - Audit generated artifacts: the workflow explicitly instructs exporting models and generating SKILL.md (new skills) and pushing/pulling extensions. Always review any generated SKILL.md, extension manifest, or packaged extension before installing or publishing — these artifacts can add new capabilities to your agent. - Use least privilege and sandboxing: run initial experiments in a sandboxed environment or VM, and avoid granting broad system access or persistent install rights until you have validated the tool and its outputs. If you want a stronger conclusion, provide the actual 'swamp' binary source (checksums or install instructions) and the agent's runtime permission policy so I can re-evaluate the whitelist/permission mismatch and the potential blast radius of auto-published extensions.