claude-swarm Security Report — Low Risk | ClawSafe

10 /100

claude-swarm

Claude-native multi-agent swarm orchestration for parallel coding via git worktrees and tmux

A legitimate multi-agent orchestration tool for spawning Claude Code agents in parallel via git worktrees and tmux, with properly documented capabilities. No malicious behavior, hidden exfiltration, or undocumented sensitive access observed.

Skill Nameclaude-swarm

Duration47.5s

Enginepi

✓

Safe to install

Verify that SWARM_WEBHOOK_URL and SWARM_TELEGRAM_BOT_TOKEN/SWARM_TELEGRAM_CHAT_ID point to trusted endpoints. Pin dependency versions in requirements.txt before auto-install. Consider documenting that spawned agents run with bypassPermissions.

Findings 2 items

Severity	Finding	Location
Low	Auto-install of unpinned dependencies Supply Chain spawn-agent.sh auto-installs from requirements.txt without version pinning, which could pull unexpected versions of packages at runtime. `pip install -r requirements.txt 2>/dev/null \|\| true` → Pin package versions (e.g., pip install -r requirements.txt --require-hashes) or disable auto-install and require manual setup.	`scripts/spawn-agent.sh:95`
Low	bypassPermissions not explicitly declared in SKILL.md Doc Mismatch Spawned Claude Code agents run with --permission-mode bypassPermissions, which grants elevated permissions. This is visible in the runner script but not mentioned in SKILL.md documentation. `claude --model "$MODEL" --effort "$EFFORT" --permission-mode bypassPermissions --print "$PROMPT"` → Document that spawned agents operate with bypassPermissions in SKILL.md so users understand the privilege model.	`scripts/spawn-agent.sh:125`

Resource	Declared	Inferred	Status	Evidence
Shell	`NONE`	`WRITE`	✓ Aligned	Spawns Claude Code agents via tmux with bypassPermissions — shell access is core…
Filesystem	`NONE`	`WRITE`	✓ Aligned	Creates worktrees, writes logs, writes runner scripts — all scoped to project di…
Network	`READ`	`READ`	✓ Aligned	Webhook/Telegram POSTs only to user-configured SWARM_WEBHOOK_URL / SWARM_TELEGRA…
Environment	`NONE`	`READ`	✓ Aligned	Reads SWARM_* config vars from swarm.conf via 'source'; does not harvest keys br…

1 findings

🔗

Medium External URL 外部 URL

https://api.telegram.org/bot$

scripts/notify.sh:22

File Tree

10 files · 28.7 KB · 792 lines

Shell 8f · 658L Markdown 1f · 105L JSON 1f · 29L

├─ ▾ 📁 config

│ └─ 📋 duty-table.json JSON 29L · 748 B

├─ ▾ 📁 scripts

│ ├─ 🔧 check-agents.sh Shell 24L · 760 B

│ ├─ 🔧 cleanup.sh Shell 45L · 1.2 KB

│ ├─ 🔧 endorse-task.sh Shell 8L · 391 B

│ ├─ 🔧 integration-watcher.sh Shell 150L · 5.5 KB

│ ├─ 🔧 notify-on-complete.sh Shell 89L · 3.4 KB

│ ├─ 🔧 notify.sh Shell 36L · 1.0 KB

│ ├─ 🔧 spawn-agent.sh Shell 230L · 8.7 KB

│ └─ 🔧 spawn-batch.sh Shell 76L · 3.0 KB

└─ 📝 SKILL.md Markdown 105L · 4.0 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`requirements.txt`	`unpinned`	pip	No	Auto-installed without version pinning or hash verification

Security Positives

✓ No base64 encoding, obfuscation, or anti-analysis techniques found

✓ No credential harvesting (API keys, SSH keys, .env scanning)

✓ No hardcoded external IPs or C2 communication patterns

✓ Webhook/Telegram calls are user-configured, not hardcoded

✓ Endorsement gate provides a manual safety check before agent spawning

✓ Agents run in isolated git worktrees with bounded scope

✓ All network calls are conditional and opt-in via config

✓ No cron jobs, backdoors, or persistence mechanisms

✓ Cleanup script properly removes worktrees and sessions

✓ Code is readable, self-contained shell scripts with no third-party dependencies

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives