ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

FlowSwarm — Swarm Coding Framework for OpenClaw

v2.1.1

Multi-agent swarm orchestration via RuFlo + Claude Code. Turns single coding sessions into coordinated agent teams (architect/coder/tester/reviewer). Proven...

0· 65·0 current·0 all-time
by@windseeker1111
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (RuFlo + Claude Code swarm orchestration) aligns with the SKILL.md and the setup script: it installs/initializes RuFlo, registers an MCP server, and enables many MCP tools. However, the registry metadata claims no required binaries/env vars, while SKILL.md and the script require node/npm, ruflo, claude CLI, git, python3 and a project .mcp.json; that mismatch (manifest says 'none' but instructions require many tools) is a transparency issue.
!
Instruction Scope
SKILL.md and templates explicitly instruct the agent to read project files, grep source (public functions), read .claude logs and daemon logs, inspect git history, access/modify .mcp.json, initialize persistent memory DBs, and use 'real data' from the repo. The meta templates and security-audit templates also instruct scanning for hardcoded secrets. Combined with enabling MCP tools, the runtime guidance grants the model broad file-system and persistence access beyond a simple prompt helper.
Install Mechanism
There is no formal install spec in the registry (instruction-only), but a provided setup script performs global npm installs (npm install -g ruflo@latest) and uses 'npx -y ruflo@latest mcp start' to register/start the MCP server. Pulling and running code from npm and using npx is common but still introduces moderate risk (remote code pulled at install time). The script also edits project files (.mcp.json) in-place.
Credentials
The manifest requests no credentials or env vars, which superficially looks least-privilege. But the SKILL.md and scripts require network access (npm, npx), write access to project files, and will spawn persistent services and databases. The skill also suggests scanning for hardcoded secrets and using real production data; those behaviors increase the chance of sensitive-data exposure even without explicit credential inputs.
!
Persistence & Privilege
The instructions and setup script explicitly enable and start a persistent MCP server/daemon and flip .mcp.json 'autoStart' to true so Claude Code gains access to 150+ MCP tools (memory_store, agent_spawn, file/task management, session persistence). Although the skill metadata does not set always:true, enabling these persistent background capabilities effectively grants the model enduring programmatic control and local persistence — a high-privilege outcome the user should not enable lightly.
What to consider before installing
This skill appears to implement what it claims, but it asks you (via its scripts and README) to enable a local MCP server and daemon that give Claude Code programmatic access to many tools (file read/write, spawn agents, persistent memory, logs, and project config). Before installing: 1) Treat the setup as a privileged operation—run it only in an isolated environment (throwaway VM/container) and not on sensitive repos. 2) Inspect .mcp.json and the list of MCP tools to understand exactly what the model can do; do not accept blanket autoStart=true without review. 3) Verify the origin of the ruflo npm package and avoid running global npm installs as root; prefer installing in an isolated node environment. 4) If the repo contains secrets or sensitive data, do not enable 'use real data' or run the memory/daemon steps. 5) Ask the author for provenance (homepage, source repo, maintainer identity) and for an explicit list of the MCP tools that will be enabled. If you need to proceed: run the script with --verify first, and consider auditing memory.db/.claude logs and .mcp.json afterwards. If you want reduced risk, use only the prompt templates locally (without enabling the MCP server) or run the full flow in a sandboxed environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ezkmh94st7x2d2sekbyajc983ewq4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments