Back to skill

Security audit

FlowSwarm — Swarm Coding Framework for OpenClaw

Security checks across malware telemetry and agentic risk

Overview

FlowSwarm is a coherent coding-swarm skill, but it enables broad persistent tooling, permission bypass examples, and automatic MCP configuration changes that users should review first.

Install only in trusted, version-controlled projects. Review `.mcp.json` changes before enabling autoStart, avoid `bypassPermissions` outside an isolated workspace, prefer pinned RuFlo versions over `@latest`, and do not feed unsanitized secrets, logs, production data, or proprietary details into persistent swarm memory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill clearly instructs actions that can modify project files, such as editing `.mcp.json`, generating test files, and running setup steps, yet it declares no permissions. That mismatch can cause users or host systems to invoke a write-capable skill without informed consent or proper sandboxing, increasing the risk of unintended repository or config changes.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger set includes broad phrases like "swarm this" and "use the swarm," which can appear in normal conversation and may activate a high-impact orchestration skill unintentionally. Because this skill launches multi-agent workflows, background execution, and potential file changes, accidental invocation is more dangerous than with a read-only helper skill.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill advertises persistent cross-run memory, session persistence, and state retention, but does not pair those features with a clear retention warning, consent model, or data handling boundaries. In a coding environment, retained prompts, findings, file paths, errors, and snippets may contain secrets or proprietary code, so silent persistence materially raises confidentiality risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The template explicitly encourages testing with real system configuration data but provides no guardrails about secrets, customer data, or environment-specific sensitive values. In a multi-agent orchestration skill, that omission increases the chance that confidential configuration or production-derived data will be copied into prompts, logs, generated tests, or outputs visible to other agents and tooling.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The meta-analysis template directs the system to inspect git history and daemon logs to rewrite the skill, but it does not warn that those sources may contain secrets, internal code, credentials, prompts, filenames, or operational metadata. Because this skill is designed to coordinate multiple agents with persistent memory and logging, encouraging broad ingestion of those artifacts materially raises the risk of unnecessary sensitive-data exposure.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script modifies the project's .mcp.json in place to force autoStart from false to true without prompting the user, backing up the file, or scoping the change to only the intended server. That can silently change project security posture by automatically enabling MCP servers and tools on future Claude runs, which is especially sensitive in a skill explicitly designed to activate 150+ tools and persistent agent orchestration.

Ssd 3

Medium
Confidence
95% confidence
Finding
These instructions encourage persistent storage and retrieval of prior session context through `memory_store` and `memory_search` without defining exclusions for secrets, credentials, proprietary code, or user-provided sensitive text. Persistent semantic memory increases the blast radius of a single disclosure because sensitive context can be resurfaced in later, unrelated runs.

Ssd 3

Medium
Confidence
95% confidence
Finding
The prompt template explicitly tells agents to store 'key findings' after completion, which is broad natural-language retention with no minimization standard. Findings from test generation or code review often include code fragments, failure details, internal paths, and sensitive business logic, so this can create durable over-collection of project data.

Ssd 3

Medium
Confidence
96% confidence
Finding
This template tells the system to remember what failed and why after each iteration, which can capture raw execution context such as error messages, stack traces, test fixtures, endpoint URLs, and config values. Repeated iteration logging is especially risky because it accumulates detailed internal state over time and makes later disclosure more damaging.

Ssd 3

Medium
Confidence
87% confidence
Finding
The self-improvement protocol directs the skill to analyze historical skill files and production run data to generate a new version, promoting broad reuse of accumulated prior content without clear scoping or sanitization. While framed as optimization, it can normalize long-term retention and secondary use of sensitive development artifacts beyond the original purpose they were collected for.

Ssd 3

Medium
Confidence
95% confidence
Finding
Reviewing daemon logs and production test results can expose sensitive operational details, user data, stack traces, tokens, or proprietary implementation context, and the template asks agents to use that material to generate a rewritten output. That creates a direct path for sensitive information to be propagated into new prompts, memory stores, generated documents, or commit diffs without any minimization or redaction requirement.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.