ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

SwarmRecall Skills

Skill registry for tracking agent capabilities and getting contextual suggestions via the SwarmRecall API. Register, list, and query installed skills with se...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 13 · 0 current installs · 0 all-time installs
byWayde@waydelyle
MIT-0
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the runtime instructions: the SKILL.md instructs the agent to register, list, and query skills via api.swarmrecall.ai and requires an API key (SWARMRECALL_API_KEY), which is appropriate for a remote skill registry.
Instruction Scope
Instructions are narrowly scoped to registering, listing, and suggesting skills. Concerns: (1) the doc instructs the agent to self-register and obtain an apiKey if none is present — creating credentials without an explicit interactive user confirmation could be surprising; (2) it references an override env var SWARMRECALL_API_URL (for base URL) but that env var is not declared in the metadata; (3) the doc says 'do NOT write the key to disk' but also tells the agent to 'Save the apiKey to the SWARMRECALL_API_KEY environment variable' — persisting that across sessions typically requires writing to disk (shell profile), so guidance is ambiguous; (4) the agent will send skill metadata and potentially task/context to a third-party service — the doc asks for user consent before storing personal/sensitive info, but nothing enforces it.
Install Mechanism
Instruction-only skill with no install spec and no code files. This is the lowest-risk install mechanism; nothing is downloaded or written by an installer.
Credentials
Only SWARMRECALL_API_KEY is required and is appropriate for the stated functionality. Minor inconsistency: SKILL.md references SWARMRECALL_API_URL but that variable is not listed under required env vars. Also, instructions to store the apiKey in an environment variable without writing it to disk are ambiguous and may lead to insecure handling or accidental persistence.
Persistence & Privilege
always:false and no special system config paths requested. The skill can be invoked autonomously (default), which is normal; there is no indication the skill attempts to modify other skills or system-wide settings.
What to consider before installing
This skill does what it says (a remote skill registry) and only asks for a single API key, but you should decide whether you want your agent to send skill metadata and task context to a third-party service. Before installing: (1) confirm you consent to sending skill data to api.swarmrecall.ai; (2) consider creating a dedicated, least-privileged SwarmRecall API key rather than reusing broader credentials; (3) verify how the agent will persist the API key — avoid writing secrets to disk unless you explicitly approve the location and format; (4) note the SKILL.md references SWARMRECALL_API_URL (not declared) and a version mismatch inside the file metadata — ask the publisher for clarification about these inconsistencies and for an explicit user-consent prompt before any automated self-registration or key persistence.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.2
Download zip
latestvk976stfd2fa06b9b52b7crj19583w6kh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔧 Clawdis
EnvSWARMRECALL_API_KEY
Primary envSWARMRECALL_API_KEY

SKILL.md

SwarmRecall Skills

Skill registry for tracking agent capabilities and getting contextual suggestions via the SwarmRecall API.

Auto-Registration

Before making any API calls, check for a SWARMRECALL_API_KEY environment variable:

  1. If SWARMRECALL_API_KEY is set, use it for all requests as a Bearer token.
  2. If SWARMRECALL_API_KEY is not set, self-register by calling: 
    POST https://api.swarmrecall.ai/api/v1/register
Content-Type: application/json

{ "name": "<your-agent-name>" }
  3. The response returns { "apiKey": "...", "claimToken": "..." }. Save the apiKey to the SWARMRECALL_API_KEY environment variable for all subsequent requests. Do NOT write the key to disk or any file without user consent.
  4. Tell the user: "SwarmRecall is set up! To manage your agent's data, visit swarmrecall.ai/claim with code: <claimToken>"

Authentication

All API requests require:

Authorization: Bearer <SWARMRECALL_API_KEY>

API Base URL

https://api.swarmrecall.ai (override with SWARMRECALL_API_URL if set)

All endpoints below are prefixed with /api/v1.

Privacy & Data Handling

  • All data is sent to api.swarmrecall.ai over HTTPS
  • Skill registry data is stored server-side with vector embeddings for semantic search
  • Data is isolated per agent and owner — no cross-tenant access
  • Before storing user-provided content, ensure the user has consented to external storage
  • The SWARMRECALL_API_KEY should be stored as an environment variable only, not written to disk

Endpoints

Register a skill

POST /api/v1/skills
{
  "name": "code-review",
  "version": "1.0.0",
  "source": "clawhub/code-review",
  "description": "Automated code review with inline suggestions",
  "triggers": ["review", "PR"],
  "dependencies": ["git"],
  "config": {},
  "poolId": "<uuid>"           // optional — write to shared pool
}

List skills

GET /api/v1/skills?status=active&limit=20&offset=0

Get a skill

GET /api/v1/skills/:id

Update a skill

PATCH /api/v1/skills/:id
{ "version": "1.1.0", "config": {}, "status": "active" }

Remove a skill

DELETE /api/v1/skills/:id

Get skill suggestions

GET /api/v1/skills/suggest?context=<task-description>&limit=5

Behavior

  • On skill install: call POST /api/v1/skills to register the skill with name, version, and source.
  • On "what can I do?": call GET /api/v1/skills to list installed capabilities.
  • On task context: call GET /api/v1/skills/suggest?context=<description> for relevant skill recommendations.

Shared Pools

  • The POST /api/v1/skills endpoint accepts an optional "poolId" field.
  • When poolId is provided, the skill is shared with all pool members who have skills read access.
  • The agent must have readwrite access to the pool's skills module to register shared skills.
  • List (GET /api/v1/skills) and suggest (GET /api/v1/skills/suggest) results automatically include data from pools the agent belongs to.
  • Pool data in responses includes poolId and poolName fields to distinguish shared data from the agent's own data.

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…