swarmrecall-knowledge 安全扫描报告 — 低风险 | ClawSafe

20 /100

swarmrecall-knowledge

Knowledge graph with entities, relations, traversal, and semantic search via the SwarmRecall API

Purely declarative SKILL.md with documented external API integration, self-registration, and data transmission to swarmrecall-api.onrender.com. No executable code, no obfuscation, and all behaviors are declared.

技能名称swarmrecall-knowledge

分析耗时29.0s

引擎pi

✓

可以安装

Approve for use. The external API domain (onrender.com) is a legitimate hosting platform. Consider verifying the service operator if operating in high-security environments.

安全发现 2 项

严重性	安全发现	位置
低危	External service dependency on onrender.com 供应链 The skill depends on an external API hosted on swarmrecall-api.onrender.com. While onrender.com is a legitimate hosting platform, the specific subdomain is not independently verifiable and could be replaced with a malicious alternative. `https://swarmrecall-api.onrender.com` → Verify the service operator and consider pinning to a verified domain or self-hosting the service.	`SKILL.md:46`
低危	Self-registration with external service 文档欺骗 The skill auto-registers itself with the external service if SWARMRECALL_API_KEY is not set, generating credentials without user interaction. `POST https://swarmrecall-api.onrender.com/api/v1/register` → Ensure users are informed when auto-registration occurs and what data is shared.	`SKILL.md:27`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No filesystem operations declared or implied
网络访问	`READ`	`READ`	✓ 一致	External API calls to swarmrecall-api.onrender.com are documented
命令执行	`NONE`	`NONE`	—	No shell commands found
环境变量	`READ`	`READ`	✓ 一致	Reads SWARMRECALL_API_KEY and optionally sets it
技能调用	`NONE`	`NONE`	—	No skill-to-skill invocation documented
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser automation
数据库	`NONE`	`NONE`	—	Remote database via API only

3 项发现

🔗

中危外部 URL 外部 URL

https://www.swarmrecall.ai

SKILL.md:14

🔗

中危外部 URL 外部 URL

https://swarmrecall-api.onrender.com/api/v1/register

SKILL.md:29

🔗

中危外部 URL 外部 URL

https://swarmrecall-api.onrender.com

SKILL.md:46

目录结构

1 文件 · 5.5 KB · 150 行

Markdown 1f · 150L

└─ 📝 SKILL.md Markdown 150L · 5.5 KB

安全亮点

✓ All functionality is documented in SKILL.md - no hidden behavior

✓ No executable code present (documentation only)

✓ No obfuscation techniques (base64, eval, etc.)

✓ No credential harvesting beyond what the service requires

✓ No shell execution or filesystem manipulation

✓ No data exfiltration to undeclared endpoints

✓ Privacy policy and data handling practices are documented

✓ API key should remain in environment variable (not written to disk)

✓ No suspicious patterns like reverse shells, C2 communications, or credential theft