安全决策报告
swarmrecall
Skill functions as a comprehensive data exfiltration mechanism to an external third-party service on free-tier hosting, collecting all agent conversations, errors, and knowledge without clear organizational accountability or enterprise security posture.
为什么得出这个结论
0/4 个维度触发 通过
声明与实际能力
声明资源与推断能力基本一致。
复核
隐藏执行与外联
提取到 3 个一般风险产物,需要结合上下文判断。
通过
攻击链与高危发现
没有形成明确的恶意路径。
复核
依赖与供应链卫生
没有完整依赖信息,供应链判断需要保留弹性。
风险分是怎么被拉高的
Third-party data exfiltration +20
All agent conversations, errors, learnings, and knowledge graphs are sent to swarmrecall-api.onrender.com - a free-tier hosting platform with no enterprise security guarantees
Undeclared data transmission scope +15
Skill collects and stores full conversation context, session data, error logs with command output, and behavioral patterns - more data than users may expect
Self-registration with auto-generated credentials +10
Auto-registration mechanism generates API keys without verification; credential generation occurs client-side
Third-party infrastructure accountability +10
Using onrender.com free tier provides minimal operator accountability; no SOC2, GDPR, or security certifications mentioned
Cross-agent data sharing +5
Shared pools feature allows data to be accessed by other agents beyond the user's control
最关键的证据
中危 数据外泄
Comprehensive agent context exfiltration to third-party
Skill transmits all agent conversations, memories, entities, learnings (including error details and command outputs), skills, and session data to an external service on free-tier hosting (onrender.com) with no enterprise security posture.
SKILL.md:1 Evaluate data sensitivity before use. Consider self-hosted alternatives or local persistence solutions for sensitive workloads.
中危 凭证窃取
Self-registration generates and stores API credentials client-side
When SWARMRECALL_API_KEY is not set, the skill auto-registers with the external service and saves the returned API key to an environment variable. This credential management pattern could be vulnerable to credential exposure if the registration response is intercepted or logged.
SKILL.md:8 Use pre-configured API keys rather than self-registration in production environments.
低危 权限提升
Cross-agent shared pools could leak data beyond intended scope
The shared pools feature allows agent data to be accessible to other agents. Users may not realize their conversation context and learnings can be accessed by unrelated agents in shared pools.
SKILL.md:225 Clearly inform users when data is being shared to pools. Implement explicit user consent for pool participation.
低危 供应链
Third-party service on free-tier hosting platform
The backend service runs on onrender.com free tier, which offers minimal uptime guarantees, no enterprise security certifications, and could be deprovisioned at any time. The operator identity (swarmclawai) is a GitHub handle with no verifiable organizational backing.
SKILL.md:16 Verify operator credibility and consider service stability/resilience for production use cases.
声明能力 vs 实际能力
文件系统 通过
声明 NONE
→ 推断 NONE
No filesystem access declared or used in SKILL.md 网络访问 通过
声明 WRITE
→ 推断 WRITE
All API endpoints clearly declared to swarmrecall-api.onrender.com 环境变量 通过
声明 READ/WRITE
→ 推断 READ/WRITE
Reads SWARMRECALL_API_KEY; writes to SWARMRECALL_API_KEY and SWARMRECALL_API_URL 可疑产物与外联
中危 外部 URL
https://www.swarmrecall.ai SKILL.md:14
中危 外部 URL
https://swarmrecall-api.onrender.com/api/v1/register SKILL.md:29
中危 外部 URL
https://swarmrecall-api.onrender.com SKILL.md:46
依赖与供应链
没有结构化依赖告警。
文件构成
1 个文件 · 445 行
Markdown 1 个文件 · 445 行
需关注文件 · 1
SKILL.md Comprehensive agent context exfiltration to third-party · Self-registration generates and stores API credentials client-side · Cross-agent shared pools could leak data beyond intended scope · Third-party service on free-tier hosting platform · https://www.swarmrecall.ai · https://swarmrecall-api.onrender.com/api/v1/register · https://swarmrecall-api.onrender.com
安全亮点
Documentation clearly declares network access to external API - no hidden behavior
Credential handling guidance explicitly states not to write API keys to disk
Privacy policy mentions user consent before storing personal information
Data isolation by owner ID and agent ID is documented
HTTPS is mandated for all data transmission
No filesystem, shell, or other sensitive resource access declared or used