Manage backlink exchanges for AI-created sites by registering domains, requesting and contributing links, tracking credits, and receiving placement notificat...
Security Analysis
medium confidenceThe skill's purpose (backlink exchange) matches its instructions, but the runtime instructions expect a private API key and webhook endpoints while the skill metadata declares no required credentials or config — this mismatch and the webhook/externally-hosted callbacks are unexplained and warrant caution.
Name, description, and SKILL.md consistently describe a backlink-exchange API (register sites, request/contribute links, check credits). The API endpoints and examples in the doc match the stated purpose.
SKILL.md stays within the backlink-exchange domain (register site, verify DNS/meta, post requests, webhooks). It instructs storing an API key in auth-profiles.json or environment and registering webhooks. It does not instruct reading unrelated system files. However it grants the agent discretion to configure webhooks (which implies the agent must host or expose an endpoint) without guidance on safely doing so.
Instruction-only skill with no install spec and no code files — nothing is written to disk or downloaded by the skill itself, which is the lowest-risk install profile.
The SKILL.md explicitly expects an API key (sk_linkswarm_...) to be stored in auth-profiles.json or environment, yet the registry metadata lists no required env vars or primary credential. That mismatch is a red flag: the skill will need a secret at runtime but does not declare it. Additionally, the webhook feature implies exposing an endpoint which can leak data if mishandled; the doc does not explain recommended minimal scopes or how the API key should be limited.
always is false and the skill has no install or system modifications. It does instruct configuring auth-profiles.json (normal for API-using skills) and registering webhooks (optional). No evidence the skill requests elevated/system-wide privileges.
Guidance
This skill appears to be what it claims (a backlink-exchange API), but there are a few things to check before installing: - The SKILL.md expects a private API key (sk_linkswarm_...) but the skill metadata does not declare any required credentials — assume you must provide that secret manually; only give a key you trust and consider creating a dedicated, limited-scope account. - Webhooks: if you enable webhooks the agent may need a publicly reachable URL (or a tunneling service). Exposing endpoints can leak data; prefer a dedicated webhook receiver with strict validation and minimal privileges. - Verify the service identity: the documentation references api.linkswarm.ai and linkswarm.ai but the registry shows no homepage; confirm the domain and read provider docs and terms before giving credentials. - Monitor network activity and API usage for unexpected calls, and revoke the API key if behavior looks suspicious. If you can get clarification from the publisher about the expected credential names/scopes and webhook security recommendations, that would reduce risk.
Latest Release
v1.0.0
Initial release - backlink exchange API for AI agents
More by @Heyw00d
Published by @Heyw00d on ClawHub
