ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

SwarmRecall Learnings

Error tracking, correction logging, and pattern detection via the SwarmRecall API. Tracks agent mistakes, corrections, and discoveries to surface recurring i...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 14 · 0 current installs · 0 all-time installs
byWayde@waydelyle
MIT-0
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and required credential (SWARMRECALL_API_KEY) align with an external learnings/error-tracking service. No unrelated credentials or binaries are requested.
!
Instruction Scope
Instructions tell the agent to POST full error details and command output to the external API on errors and to call patterns/promotions on session start. That behavior can exfiltrate secrets or PII embedded in logs/outputs unless the agent reliably obtains explicit user consent and scrubs sensitive content. The SKILL.md also references SWARMRECALL_API_URL as an override but that env var is not declared in the registry metadata.
Install Mechanism
Instruction-only skill with no install steps and no code files — nothing is written to disk by an installer. This is the lowest install risk.
Credentials
Only SWARMRECALL_API_KEY is required, which is proportionate. However the skill instructs self-registration when the key is absent and asks the agent to 'save the apiKey to the SWARMRECALL_API_KEY environment variable' without specifying how to persist it securely. The guidance not to write keys to disk is good but leaves ambiguity about how the agent should persist credentials securely. Also, automatic logging of command output may transmit unrelated secrets.
Persistence & Privilege
always:false and no system-wide config modifications. The skill does not request permanent presence or modify other skills. The main privilege is the ability to send runtime context to an external service.
What to consider before installing
This skill looks like it really integrates with SwarmRecall, but it asks the agent to automatically upload error outputs and session data to an external service — which can include secrets and personal data. Before installing: 1) Confirm how your agent will obtain explicit user consent before any content is stored or shared. 2) Ask how the SWARMRECALL_API_KEY will be persisted securely (credential store vs. writing to env files); do not allow silent disk writes. 3) Decide whether automatic uploads of raw command output are acceptable; prefer manual review or scrubbers that remove secrets. 4) Note the SKILL.md references SWARMRECALL_API_URL (not declared); ask the publisher to document optional env vars and exact data retention/sharing policies. If you cannot verify these, treat the skill as high-risk for accidental data exposure.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.2
Download zip
latestvk9709q6pjzk3gh1ceeb9jaxa0h83xk4t

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💡 Clawdis
EnvSWARMRECALL_API_KEY
Primary envSWARMRECALL_API_KEY

SKILL.md

SwarmRecall Learnings

Error tracking, correction logging, and pattern detection via the SwarmRecall API.

Auto-Registration

Before making any API calls, check for a SWARMRECALL_API_KEY environment variable:

  1. If SWARMRECALL_API_KEY is set, use it for all requests as a Bearer token.
  2. If SWARMRECALL_API_KEY is not set, self-register by calling: 
    POST https://api.swarmrecall.ai/api/v1/register
Content-Type: application/json

{ "name": "<your-agent-name>" }
  3. The response returns { "apiKey": "...", "claimToken": "..." }. Save the apiKey to the SWARMRECALL_API_KEY environment variable for all subsequent requests. Do NOT write the key to disk or any file without user consent.
  4. Tell the user: "SwarmRecall is set up! To manage your agent's data, visit swarmrecall.ai/claim with code: <claimToken>"

Authentication

All API requests require:

Authorization: Bearer <SWARMRECALL_API_KEY>

API Base URL

https://api.swarmrecall.ai (override with SWARMRECALL_API_URL if set)

All endpoints below are prefixed with /api/v1.

Privacy & Data Handling

  • All data is sent to api.swarmrecall.ai over HTTPS
  • Learning data (errors, corrections, discoveries) is stored server-side with vector embeddings for semantic search
  • Data is isolated per agent and owner — no cross-tenant access
  • Before storing user-provided content, ensure the user has consented to external storage
  • The SWARMRECALL_API_KEY should be stored as an environment variable only, not written to disk

Endpoints

Log a learning

POST /api/v1/learnings
{
  "category": "error",        // error | correction | discovery | optimization | preference
  "summary": "npm install fails with peer deps",
  "details": "Full error output...",
  "priority": "high",         // low | medium | high | critical
  "area": "build",
  "suggestedAction": "Use --legacy-peer-deps flag",
  "tags": ["npm", "build"],
  "metadata": {},
  "poolId": "<uuid>"          // optional — write to shared pool
}

Search learnings

GET /api/v1/learnings/search?q=<query>&limit=10&minScore=0.5

Get a learning

GET /api/v1/learnings/:id

List learnings

GET /api/v1/learnings?category=error&status=open&priority=high&area=build&limit=20&offset=0

Update a learning

PATCH /api/v1/learnings/:id
{ "status": "resolved", "resolution": "Added --legacy-peer-deps", "resolutionCommit": "abc123" }

Get recurring patterns

GET /api/v1/learnings/patterns

Get promotion candidates

GET /api/v1/learnings/promotions

Link related learnings

POST /api/v1/learnings/:id/link
{ "targetId": "<other-learning-id>" }

Behavior

  • On error: call POST /api/v1/learnings with category: "error", the summary, details, and the command/output that failed.
  • On correction: call POST /api/v1/learnings with category: "correction" and what was wrong vs. what is correct.
  • On session start: call GET /api/v1/learnings/patterns to preload known recurring issues. Check GET /api/v1/learnings/promotions for patterns ready to be promoted.
  • On promotion candidates: surface candidates to the user for approval before acting on them.

Shared Pools

  • The POST /api/v1/learnings endpoint accepts an optional "poolId" field.
  • When poolId is provided, the learning is shared with all pool members who have learnings read access.
  • The agent must have readwrite access to the pool's learnings module to write shared learnings.
  • Search (GET /api/v1/learnings/search) and list (GET /api/v1/learnings) results automatically include data from pools the agent belongs to.
  • Pool data in responses includes poolId and poolName fields to distinguish shared data from the agent's own data.

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…