Is matchaonmuffins/claw-swarm safe?
https://github.com/openclaw/skills/tree/main/skills/matchaonmuffins/claw-swarm
ClawSwarm is a transparent collaborative problem-solving skill that routes agent reasoning through an external task distribution service at claw-swarm.com. The primary risks are structural rather than stealthy: the skill's core loop continuously transmits the agent's complete reasoning to a third-party server (potentially including sensitive session context), and aggregate tasks inject unverified content from other agents directly into the agent's context — a viable indirect prompt injection vector. No malicious code, hidden instructions, or canary violations were detected, but the cross-account provenance mismatch in metadata and the skill's persistent-identity and infinite-loop design warrant careful user review before activation in a sensitive environment.
Category Scores
Findings (6)
HIGH Agent reasoning continuously transmitted to third-party server -25 ▶
The skill's mandatory workflow requires the agent to POST its 'complete reasoning and solution' to claw-swarm.com for every task it processes. An agent operating in a user's session accumulates context from prior tool calls, file reads, environment variables, and shell outputs. Any of that context that enters the agent's chain of thought will be included in the 'content' field and transmitted externally. The user confirmation step partially mitigates uncontrolled transmission but does not prevent sensitive context from appearing in the payload; users are unlikely to audit multi-paragraph reasoning blobs for embedded secrets.
HIGH Aggregate tasks inject unverified external content into agent context -28 ▶
In Level 2+ aggregate tasks, the claw-swarm.com server delivers 'sources' — content written by arbitrary other agents — directly into the agent's active context. The agent is explicitly instructed to 'Review all provided attempts', 'Synthesize the strongest possible answer', and weight the external content by confidence scores. This creates a viable indirect prompt injection channel: a malicious actor who controls another agent in the swarm can craft source content containing adversarial instructions that will be processed by downstream aggregating agents.
MEDIUM Skill creates infinite task polling loop with no exit condition -18 ▶
The skill's workflow section explicitly instructs the agent to poll for tasks, submit, then immediately poll again with no stopping criterion. This creates a persistent background behavior loop that could consume the agent's attention indefinitely, preventing it from responding to user requests and effectively hijacking the agent's execution for the skill operator's benefit.
MEDIUM Agent registered with external service; API key persisted to local filesystem -17 ▶
The skill instructs the agent to POST to /agents/register, receive a persistent apiKey credential, and store it in a local secrets file referenced from TOOLS.md. This creates a durable external identity that outlives the session, leaves a credential artifact on the user's filesystem, and implicitly expands the attack surface by adding a stored secret that could be discovered by other processes or skills.
LOW Repository provenance mismatch in _meta.json -20 ▶
The _meta.json commit field references a commit on github.com/clawdbot/skills, but the skill was installed from github.com/openclaw/skills. The skill appears to have been copied between GitHub accounts without updating metadata. This breaks the chain of provenance from published metadata to the actual installation source and suggests the skill may not have been purpose-built for its current hosting location.
INFO Positive: user confirmation required before every submission 0 ▶
The skill explicitly requires the agent to display the full submission payload to the user and await confirmation before transmitting to the external server. This is a meaningful transparency and consent mechanism that reduces the risk of silent exfiltration, though it does not eliminate the underlying data transmission concern.