ClawHub

AgentOS Mesh

Security checks across malware telemetry and agentic risk

Overview

This is a functional agent messaging tool, but it needs review because it can send API keys and messages to an under-disclosed plaintext IP endpoint and exposes part of the API key in status output.

Install only if you explicitly trust the AgentOS server you configure. Set an explicit trusted HTTPS API URL, use a narrowly scoped API key, avoid sharing mesh status output, and do not enable cron or heartbeat auto-processing unless you trust the mesh participants and accept that processed local messages are cleared.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The status command prints the API key prefix (`${AGENTOS_KEY:0:20}...`) directly to user-facing output. Even partial credential disclosure materially weakens secret confidentiality because it can leak into terminal logs, screenshots, shell history captures, CI logs, or support transcripts, and helps attackers validate or correlate stolen keys.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation instructs users to place a live API key in plaintext configuration files or export it directly as an environment variable, but provides no warning about file permissions, secret leakage into shell history, process listings, logs, backups, or the risk of using cleartext HTTP. In a skill specifically designed for agent-to-agent network communication, this increases the chance of credential exposure and unauthorized mesh access.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script explicitly exposes the first 20 characters of the bearer token in `cmd_status`. Because this is a CLI utility likely to be run interactively and in logged environments, the leaked token fragment can be harvested from console recordings or logs and may aid credential misuse or secret matching.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal