Skill Trust Decision
swarmrecall
Skill functions as a comprehensive data exfiltration mechanism to an external third-party service on free-tier hosting, collecting all agent conversations, errors, and knowledge without clear organizational accountability or enterprise security posture.
Why this conclusion was reached
0/4 dimensions flagged Pass
Declared vs actual capability
Declared resources and inferred behavior are broadly aligned.
Review
Hidden execution and egress
3 lower-risk artifacts were extracted and still need context.
Pass
Attack chain and severe findings
There is no explicit malicious chain in the report.
Review
Dependencies and supply chain hygiene
Dependency information is incomplete, so supply-chain confidence stays limited.
What drove the risk score up
Third-party data exfiltration +20
All agent conversations, errors, learnings, and knowledge graphs are sent to swarmrecall-api.onrender.com - a free-tier hosting platform with no enterprise security guarantees
Undeclared data transmission scope +15
Skill collects and stores full conversation context, session data, error logs with command output, and behavioral patterns - more data than users may expect
Self-registration with auto-generated credentials +10
Auto-registration mechanism generates API keys without verification; credential generation occurs client-side
Third-party infrastructure accountability +10
Using onrender.com free tier provides minimal operator accountability; no SOC2, GDPR, or security certifications mentioned
Cross-agent data sharing +5
Shared pools feature allows data to be accessed by other agents beyond the user's control
Most important evidence
Medium Data Exfil
Comprehensive agent context exfiltration to third-party
Skill transmits all agent conversations, memories, entities, learnings (including error details and command outputs), skills, and session data to an external service on free-tier hosting (onrender.com) with no enterprise security posture.
SKILL.md:1 Evaluate data sensitivity before use. Consider self-hosted alternatives or local persistence solutions for sensitive workloads.
Medium Credential Theft
Self-registration generates and stores API credentials client-side
When SWARMRECALL_API_KEY is not set, the skill auto-registers with the external service and saves the returned API key to an environment variable. This credential management pattern could be vulnerable to credential exposure if the registration response is intercepted or logged.
SKILL.md:8 Use pre-configured API keys rather than self-registration in production environments.
Low Priv Escalation
Cross-agent shared pools could leak data beyond intended scope
The shared pools feature allows agent data to be accessible to other agents. Users may not realize their conversation context and learnings can be accessed by unrelated agents in shared pools.
SKILL.md:225 Clearly inform users when data is being shared to pools. Implement explicit user consent for pool participation.
Low Supply Chain
Third-party service on free-tier hosting platform
The backend service runs on onrender.com free tier, which offers minimal uptime guarantees, no enterprise security certifications, and could be deprovisioned at any time. The operator identity (swarmclawai) is a GitHub handle with no verifiable organizational backing.
SKILL.md:16 Verify operator credibility and consider service stability/resilience for production use cases.
Declared capability vs actual capability
Filesystem Pass
Declared NONE
→ Inferred NONE
No filesystem access declared or used in SKILL.md Network Pass
Declared WRITE
→ Inferred WRITE
All API endpoints clearly declared to swarmrecall-api.onrender.com Environment Pass
Declared READ/WRITE
→ Inferred READ/WRITE
Reads SWARMRECALL_API_KEY; writes to SWARMRECALL_API_KEY and SWARMRECALL_API_URL Suspicious artifacts and egress
Medium External URL
https://www.swarmrecall.ai SKILL.md:14
Medium External URL
https://swarmrecall-api.onrender.com/api/v1/register SKILL.md:29
Medium External URL
https://swarmrecall-api.onrender.com SKILL.md:46
Dependencies and supply chain
There are no structured dependency warnings.
File composition
1 files · 445 lines
Markdown 1 files · 445 lines
Files of concern · 1
SKILL.md Comprehensive agent context exfiltration to third-party · Self-registration generates and stores API credentials client-side · Cross-agent shared pools could leak data beyond intended scope · Third-party service on free-tier hosting platform · https://www.swarmrecall.ai · https://swarmrecall-api.onrender.com/api/v1/register · https://swarmrecall-api.onrender.com
Security positives
Documentation clearly declares network access to external API - no hidden behavior
Credential handling guidance explicitly states not to write API keys to disk
Privacy policy mentions user consent before storing personal information
Data isolation by owner ID and agent ID is documented
HTTPS is mandated for all data transmission
No filesystem, shell, or other sensitive resource access declared or used