The Agent Skills Directory

[Unverifiable Dependencies & Remote Code Execution] (CRITICAL): Confirmed detection of piped remote execution. The installation instructions in install.sh and the project documentation promote the use of curl -fsSL https://raw.githubusercontent.com/clawdbot/node-scaling/main/install.sh | bash. This executes code from an untrusted repository (clawdbot) directly on the host machine, allowing for arbitrary code execution and full system compromise.
[COMMAND_EXECUTION] (HIGH): The skill's core functionality involves managing a background daemon and executing system-level commands via bin/swarm.js and bin/swarm-daemon.js. When combined with the unverified installation method, this provides a platform for persistent malicious activity.
[CREDENTIALS_UNSAFE] (MEDIUM): The bin/setup.js wizard stores sensitive API keys for Google Gemini, OpenAI, and Anthropic in predictable plain-text files within ~/.config/clawdbot/. While lib/security.js contains logic to redact these keys from worker output, the local storage is insecure.
[Prompt Injection] (LOW): The SKILL.md uses authoritative language ('MANDATORY', 'No exceptions') designed to override the agent's internal decision-making process and force the use of the Swarm tool for all parallel tasks.
[Indirect Prompt Injection] (LOW): The skill is designed to fetch and process untrusted external data from the web.
Ingestion points: lib/tools.js (fetches content from URLs) and lib/swarm-coordinator.js (aggregates findings from external sources).
Boundary markers: Present. lib/security.js prepends a SECURITY_POLICY to all LLM requests to instruct the model to treat content as data rather than instructions.
Capability inventory: System command execution, network access to model APIs, and hosting of a local HTTP server.
Sanitization: Present. lib/security.js includes functions to detect common injection patterns and redact sensitive credentials from worker responses.

swarm