SwarmClaw
Security checks across static analysis, malware telemetry, and agentic risk
Overview
SwarmClaw is coherent platform documentation, but it teaches broad shell, credential, persistent-memory, connector, and independent-subagent powers without clear user-approval or containment boundaries.
Install or use this skill only if you intentionally want an agent to understand SwarmClaw's broad runtime powers. Before enabling it, confirm that shell execution is sandboxed where possible, credentials are least-privilege, persistent memories are reviewable/deletable, external connectors are restricted, and spawning subagents requires explicit approval.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent following this guidance could run commands or API calls that change the local environment or connected services.
The skill teaches use of broad shell, API, and package-management operations, including possible host execution, without visible constraints or approval requirements.
Every agent has access to these core tools. They cover the full range of agent capabilities. ... **execute** | Run bash scripts (sandboxed or host) | Shell commands, curl, data processing, package management
Use sandboxed execution by default, require explicit user approval for host commands/package installs/external API mutations, and document safe limits.
Broadly available tokens could let command-line actions access or mutate third-party accounts if misused.
The artifact says account credentials are made available to shell executions, but does not bound which commands may receive them or what permission scopes should be used.
Injected as environment variables into `execute` tool runs (e.g., `$OPENAI_API_KEY`, `$GITHUB_TOKEN`) ... You never need to ask the user for API keys directly.
Use least-privilege credentials, restrict which tools/commands receive secrets, and require confirmation before actions using account tokens.
Sensitive or incorrect information could be saved and later influence future agent behavior.
The skill encourages proactive persistent storage and automatic reuse of memories across sessions without visible consent, exclusions, retention, or review controls.
Durable memory (cross-session): user preferences, project facts, decisions ... Memories are automatically surfaced in context when relevant ... Store important learnings proactively -- don't wait to be asked
Give users controls to approve, inspect, edit, and delete memories; avoid storing secrets or sensitive details by default.
Messages from external platforms could cause the agent to act on untrusted input or share information in external channels.
External connector messages can automatically start agent sessions, but the provided artifact does not describe identity checks, origin validation, channel permissions, or data boundaries.
Discord, Slack, Telegram, and custom webhooks ... Inbound messages from connectors trigger agent sessions automatically
Restrict connector permissions, verify message origins, and require approval before sensitive actions or data sharing from connector-triggered sessions.
A spawned agent could continue work or take actions outside the user's immediate supervision.
The skill documents independent subagents that may continue beyond the immediate interaction, without visible stopping, audit, or user-approval boundaries.
spawn: create a subagent that runs independently (fire-and-forget or session-based)
Require explicit user approval for spawning, set time/task limits, and provide clear stop and audit controls for subagents.
If a user chooses to install the package globally, they are trusting the npm package and its dependency chain.
The artifact references a global npm install from an external package source. It is not an install spec and is not automatically executed, but users should notice the unpinned external dependency path.
npm: `npm install -g swarmclaw`
Install only from trusted sources, consider pinning versions, and review package provenance before global installation.