swarmrecall-dream Security Report — Low Risk | ClawSafe

15 /100

swarmrecall-dream

Agent dreaming — memory consolidation, deduplication, pruning, contradiction resolution, and session summarization via the SwarmRecall API.

This is a documentation-only skill describing an external API for AI memory consolidation. All external communications are declared, no code execution or credential exfiltration occurs.

Skill Nameswarmrecall-dream

Duration32.4s

Enginepi

✓

Safe to install

Approve for use. The skill is transparent about external API calls and data handling. Users should verify the trustworthiness of swarmrecall-api.onrender.com before use.

Findings 2 items

Severity	Finding	Location
Low	Third-party API dependency for memory processing Doc Mismatch Agent memories are sent to an external service (swarmrecall-api.onrender.com) for Tier 1 processing. While documented, this creates a data exfiltration vector if the service is malicious or compromised. `https://swarmrecall-api.onrender.com` → Users should verify the trustworthiness of this service before enabling. Consider self-hosting if data privacy is critical.	`SKILL.md:46`
Low	Auto-registration sends agent metadata externally Data Exfil If SWARMRECALL_API_KEY is not set, the skill self-registers by POSTing the agent name to an external service, creating a tracking mechanism. `POST https://swarmrecall-api.onrender.com/api/v1/register` → Prefer setting SWARMRECALL_API_KEY manually rather than using auto-registration to avoid exposing agent metadata.	`SKILL.md:29`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	No file operations documented
Network	`READ`	`READ`	✓ Aligned	API calls to external service are fully declared in SKILL.md
Shell	`NONE`	`NONE`	—	No shell execution documented
Environment	`READ`	`READ`	✓ Aligned	Reads SWARMRECALL_API_KEY from environment
Skill Invoke	`NONE`	`NONE`	—	No skill chaining documented
Clipboard	`NONE`	`NONE`	—	No clipboard access documented
Browser	`NONE`	`NONE`	—	No browser automation documented
Database	`NONE`	`NONE`	—	No database access documented

3 findings

🔗

Medium External URL 外部 URL

https://www.swarmrecall.ai

SKILL.md:14

🔗

Medium External URL 外部 URL

https://swarmrecall-api.onrender.com/api/v1/register

SKILL.md:29

🔗

Medium External URL 外部 URL

https://swarmrecall-api.onrender.com

SKILL.md:46

File Tree

1 files · 10.5 KB · 319 lines

Markdown 1f · 319L

└─ 📝 SKILL.md Markdown 319L · 10.5 KB

Security Positives

✓ No shell execution or code execution vectors

✓ No credential harvesting or exfiltration beyond declared API key usage

✓ All external API calls are fully documented and transparent

✓ No obfuscation or base64-encoded payloads

✓ No filesystem or sensitive path access

✓ HTTPS is enforced for all data transmission

✓ API key is retained in environment only (not written to disk)

Scan Report

Findings 2 items

File Tree

Security Positives