ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Swarmclaw Skill

v2.3.0

Manage your SwarmClaw agent fleet — agents, tasks, chats, chatrooms, goals, schedules, memory, wallets, connectors, autonomy, and 40+ more command groups. Us...

1· 145·3 current·4 all-time
byWayde@waydelyle
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill is documentation for the SwarmClaw agent platform and lists tools, workflows, and examples. There are no unrelated required binaries, credentials, or install steps that would be inconsistent with a documentation skill.
Instruction Scope
SKILL.md includes concrete runtime examples (tool calls and a curl to a local API at http://localhost:3456/api/memory/dream) and describes usage of tools like execute, files, memory, and platform. This is appropriate for platform documentation, but it does instruct agents to call local endpoints and to rely on environment-injected credentials in execute runs (e.g., $OPENAI_API_KEY, $GITHUB_TOKEN). Those references are expected for a platform doc but worth noting because they imply agent actions that interact with local services and secrets available in the agent environment.
Install Mechanism
No install spec and no code files are present; this is lowest-risk (documentation-only). Nothing is downloaded or written to disk by the skill itself.
Credentials
The skill metadata declares no required environment variables, but the documentation explicitly references environment-injected credentials (e.g., $OPENAI_API_KEY, $GITHUB_TOKEN) and $WORKSPACE. This is coherent for a platform that injects credentials per-agent, but users should be aware the skill presumes those credentials may be available to execute runs even though none are listed in the registry metadata.
Persistence & Privilege
always is false and the skill is user-invocable. The skill does not request persistent presence or modify other skills or system-wide settings; it only documents tools and workflows.
Assessment
This skill is documentation for the SwarmClaw platform and appears coherent. Before installing or enabling it, confirm you trust the SwarmClaw environment because the instructions assume agent-run commands can access local services (example: localhost:3456) and that credentials configured in the platform will be injected into execute runs (e.g., $OPENAI_API_KEY, $GITHUB_TOKEN). If you have sensitive system services on localhost or do not want the agent to run host-level commands, avoid enabling execute runs with host access or avoid configuring high-privilege credentials for agents that will use this skill. Also verify the platform's claimed secret redaction behavior independently—documentation claims automatic redaction but you should confirm it in your deployment.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dxaxvwnwb9tjev7rd1pa175845wr6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments