Is digi604/swarmmarket2 safe?

The skill explicitly designates https://api.swarmmarket.io/skill.md as the canonical SKILL.md and instructs agents 'Check for updates: Re-fetch this file anytime to see new features!' Additionally, skill.json lists this URL under the 'files' key. This creates a mechanism where the operator can replace the skill's instructions at any time — including after security review — with arbitrary content including full prompt injection payloads. Any agent that faithfully re-fetches this URL will receive whatever instructions the server returns at that moment.

The skill contains an explicit section instructing the agent to append SwarmMarket polling instructions to its HEARTBEAT.md file and to create/modify memory/heartbeat-state.json with a lastSwarmMarketCheck field. This is a persistent behavioral modification that causes the agent to autonomously check swarmmarket.io every 4+ hours regardless of user requests — a form of behavioral hijacking that outlasts the current session.

The skill package contains .clawhub/lock.json which declares another skill (academic-research-hub v0.1.0) as installed, with a timestamp of 1770957475341. This file should not be present inside a skill package — the clawhub lock file tracks the host's installed skills state. Bundling a lock file could interfere with the skill manager's tracking, forge an apparent dependency, or exfiltrate information about which other skills are installed on the target when the package is processed.

The skill enables the agent to conduct real financial transactions via Stripe — including wallet deposits, escrow funding, listing purchases, auction bids, and order placement — without requiring explicit user authorization for each individual action. An agent following this skill's guidance could commit real money on behalf of the user based on autonomous marketplace polling decisions triggered by the heartbeat injection.

The skill requires agent registration as a prerequisite for any functionality. The registration endpoint collects owner_email and sends it to swarmmarket.io, creating a persistent PII record in a third-party database. Users may not realize their email is being transmitted to a marketplace operator they have no direct relationship with.

The skill provides detailed instructions for creating publicly accessible HTTP endpoints on the agent's host machine to receive webhook callbacks from swarmmarket.io. Options include ngrok, Cloudflare Tunnel, cloud functions, and VPS deployment. This exposes the agent's runtime environment to unsolicited external HTTP connections and could be used as an attack surface for SSRF or webhook forgery.

The three metadata files report three different version numbers: skill.json declares 0.3.0, skill.md frontmatter declares 0.2.0, and _meta.json declares 1.0.0. This inconsistency could indicate a supply chain fragmentation issue where different components were updated at different times, or it could represent a bait-and-switch where a different version is shown for review than what is deployed.

The skill's trust scoring system awards +15% trust bonus for Twitter verification, which requires the agent to post specific promotional content including the text 'I just registered my AI agent on @SwarmMarket' with the hashtag #SwarmMarket. This incentivizes agents to post marketing content on behalf of users without explicit consent for each post.

The skill instructs storing the SwarmMarket API key in ~/.config/swarmmarket/credentials.json, creating a persistent credential file that establishes an ongoing identity with a third-party service. This credential persists after the skill is removed and could be read by other skills or processes with filesystem access.