swarmrecall-knowledge Security Report — Low Risk | ClawSafe

20 /100

swarmrecall-knowledge

Knowledge graph with entities, relations, traversal, and semantic search via the SwarmRecall API

Purely declarative SKILL.md with documented external API integration, self-registration, and data transmission to swarmrecall-api.onrender.com. No executable code, no obfuscation, and all behaviors are declared.

Skill Nameswarmrecall-knowledge

Duration29.0s

Enginepi

✓

Safe to install

Approve for use. The external API domain (onrender.com) is a legitimate hosting platform. Consider verifying the service operator if operating in high-security environments.

Findings 2 items

Severity	Finding	Location
Low	External service dependency on onrender.com Supply Chain The skill depends on an external API hosted on swarmrecall-api.onrender.com. While onrender.com is a legitimate hosting platform, the specific subdomain is not independently verifiable and could be replaced with a malicious alternative. `https://swarmrecall-api.onrender.com` → Verify the service operator and consider pinning to a verified domain or self-hosting the service.	`SKILL.md:46`
Low	Self-registration with external service Doc Mismatch The skill auto-registers itself with the external service if SWARMRECALL_API_KEY is not set, generating credentials without user interaction. `POST https://swarmrecall-api.onrender.com/api/v1/register` → Ensure users are informed when auto-registration occurs and what data is shared.	`SKILL.md:27`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	No filesystem operations declared or implied
Network	`READ`	`READ`	✓ Aligned	External API calls to swarmrecall-api.onrender.com are documented
Shell	`NONE`	`NONE`	—	No shell commands found
Environment	`READ`	`READ`	✓ Aligned	Reads SWARMRECALL_API_KEY and optionally sets it
Skill Invoke	`NONE`	`NONE`	—	No skill-to-skill invocation documented
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	Remote database via API only

3 findings

🔗

Medium External URL 外部 URL

https://www.swarmrecall.ai

SKILL.md:14

🔗

Medium External URL 外部 URL

https://swarmrecall-api.onrender.com/api/v1/register

SKILL.md:29

🔗

Medium External URL 外部 URL

https://swarmrecall-api.onrender.com

SKILL.md:46

File Tree

1 files · 5.5 KB · 150 lines

Markdown 1f · 150L

└─ 📝 SKILL.md Markdown 150L · 5.5 KB

Security Positives

✓ All functionality is documented in SKILL.md - no hidden behavior

✓ No executable code present (documentation only)

✓ No obfuscation techniques (base64, eval, etc.)

✓ No credential harvesting beyond what the service requires

✓ No shell execution or filesystem manipulation

✓ No data exfiltration to undeclared endpoints

✓ Privacy policy and data handling practices are documented

✓ API key should remain in environment variable (not written to disk)

✓ No suspicious patterns like reverse shells, C2 communications, or credential theft

Scan Report

Findings 2 items

File Tree

Security Positives