Back to skill

Security audit

SwarmRecall

Security checks across malware telemetry and agentic risk

Overview

SwarmRecall appears to be a legitimate external memory service, but it encourages broad persistent storage of conversations, logs, and shared-pool data without enough user-control and redaction guidance.

Install only if you are comfortable sending selected agent memory, learnings, session context, tool details, and logs to SwarmRecall's hosted service. Use environment-based secret handling, avoid committing API keys, redact logs and personal or regulated data before storage, confirm shared-pool membership before writing, and understand deletion/retention behavior before enabling automatic memory or dream consolidation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill description is extremely broad: it targets persistent memory, knowledge, learnings, skills, pools, and background consolidation across sessions. That breadth can cause over-invocation in routine conversations, increasing the chance an agent stores or transmits user content to an external service when the user did not explicitly request persistence or consent to external retention.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation tells users to pass a poolId to shared writes and notes that pool members will see those writes, but it does not include any caution about sensitive data exposure, access scoping, or the permanence of shared knowledge entries. In a persistent-memory and knowledge-graph skill, this omission can lead agents or operators to store confidential information in shared pools, causing unintended disclosure to other authorized pool members or downstream consumers.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The example explicitly encourages passing raw error log contents into persistent learnings storage via `--details "$(cat /tmp/npm-output.log)"` without any warning or redaction guidance. Error logs commonly contain tokens, credentials, internal URLs, file paths, or personal data, and this skill's context makes the risk greater because the data is stored for later semantic search and reuse across sessions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The workflow instructs agents to persist user preferences, decisions, session facts, and summaries across sessions, but it does not include any user-facing notice, consent step, or guidance on avoiding storage of sensitive data. In a persistent memory system, this can lead to unintended retention of personal, confidential, or regulated information and surprise users who reasonably expect conversational context to be ephemeral.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The quickstart encourages storing and recalling user-specific memory content but provides no guidance on consent, sensitive data handling, retention, or tenant/privacy boundaries. In a persistent-memory skill, that omission can lead developers to ingest personal or confidential information by default, increasing the risk of privacy violations or policy noncompliance.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation shows live-style API credentials (e.g. `sr_live_...`) embedded directly in MCP configuration examples without an explicit warning to use environment secrets, avoid committing credentials, or rotate exposed keys. Users commonly copy-paste quickstarts, so this pattern normalizes unsafe secret handling and raises the chance of credential leakage through config files, screenshots, logs, or source control.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The reference documents numerous destructive and privacy-sensitive operations such as permanent deletion, graph-cascading deletes, skill removal, and broad memory/knowledge search without any cautionary guidance, confirmation expectations, or data-handling warnings. In a persistent-memory skill, this omission increases the chance that downstream agents invoke high-impact tools casually or automatically, leading to data loss, privacy leakage, or unsafe autonomous maintenance actions.

Session Persistence

Medium
Category
Rogue Agent
Content
swarmrecall register --save
swarmrecall memory store "<content>" --category fact --importance 0.8
swarmrecall memory search "<query>"
swarmrecall knowledge create --type person --name "Alice" --props '{"role":"engineer"}'
swarmrecall learnings log --category error --summary "<summary>"
swarmrecall dream start
```
Confidence
88% confidence
Finding
create --type person --name "Alice" --props '{"role":"engineer"}' swarmrecall learnings log --category error --summary "<summary>" swarmrecall dream start ``` See `references/commands.md` for the ful

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.