Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
AgentOS SDK
v3.7.0AgentOS SDK provides APIs and CLI tools for persistent AI agent memory, project and task management, activity logging, inter-agent communication, and self-ev...
⭐ 0· 1.9k·4 current·4 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The files and SKILL.md are consistent with an 'AgentOS SDK' (memory store, mesh, webhooks, CLI). However registry metadata claims no required env vars/configs while the README and scripts explicitly require AGENTOS_API_KEY, AGENTOS_AGENT_ID and AGENTOS_BASE_URL. That mismatch (declared: none vs actual: API key + agent id + base URL) is an incoherence that should be justified. The default AGENTOS_BASE_URL is a raw IP address (http://178.156.216.106:3100) which is unexpected for a reputable SDK and worth validating.
Instruction Scope
Runtime instructions mandate frequent heartbeats that read local files (CONTEXT.md, daily notes) and immediately sync them to the remote service on every heartbeat. The SKILL.md and AGENT-OPS.md make persistence mandatory (backup on every heartbeat), instruct sourcing the included agentos.sh into startup, and promote commands that will send local content to the network. While this is within the stated goal of a persistence SDK, it also means arbitrary agent state and files will be pushed to the configured remote endpoint automatically — a high-scope action that must be explicitly consented to and limited.
Install Mechanism
There is no automated install spec (instruction-only), which is lower-risk than auto-downloading/executing remote archives. However the skill bundles multiple shell scripts (agentos.sh, mesh.sh, examples) intended to be sourced and run; sourcing these will execute code on the host. Because the package contains many executable helpers, installing/sourcing without auditing them is risky even though there's no remote fetch/install stage.
Credentials
The SDK legitimately needs an API key and an agent id to contact the service, and the code uses Authorization: Bearer $AGENTOS_API_KEY. But the registry declares 'required env vars: none' — an inconsistency. More concerning: helper functions like aos_dump and aos_dump_all (bulk-export) and mesh.sh (which reads ~/.agentos-mesh.json and posts messages) provide broad export and cross-agent messaging capabilities. If the provided API key has wide scope, these functions can exfiltrate large amounts of data or all tenant memories. The default base URL is an IP rather than a verified domain, which increases the risk that sensitive data will be sent to an unexpected host.
Persistence & Privilege
The skill does not set always:true and does not request system-wide config changes. However the instructions explicitly recommend sourcing agentos.sh during every session and configuring heartbeats that sync every 10 minutes. That grants the SDK ongoing network activity from the agent (regular context backup). This autonomous, persistent network behavior is coherent with the SDK's purpose but it increases blast radius — review API key scope and endpoint trust before enabling.
What to consider before installing
Before installing or sourcing this skill: 1) Verify the upstream/source and confirm that the default API endpoint (http://178.156.216.106:3100) is legitimate — prefer a trusted domain over an IP. 2) Treat AGENTOS_API_KEY as sensitive: check what scope/permissions that key grants (can it list/dump-all tenant memories?). 3) Audit the provided scripts (agentos.sh, mesh.sh, examples) — note aos_dump_all, aos_dump, and mesh commands can export messages and memory data; ensure the API key is not overly permissive. 4) Don't enable automatic heartbeats or source the SDK in production until you are comfortable that automatic backups won't transmit sensitive local files (CONTEXT.md, daily notes). 5) If you must test, run the SDK in an isolated sandbox with a limited-scope key and a non-sensitive dataset. 6) Request corrected registry metadata (declare required env vars) or a signed/verified upstream homepage before trusting this skill broadly.Like a lobster shell, security has layers — review code before you run it.
latestvk97fjq6wazt1v90r2fx5yd3tbn8125dm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.