ClawHub

AgentOS SDK

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed cloud memory and agent-operations skill, but it defaults to insecure transport and strongly encourages broad recurring sync of potentially sensitive context.

Review before installing. Use only a trusted HTTPS AgentOS endpoint, avoid the raw-IP HTTP default, use least-privilege and rotated API keys, and do not allow automatic syncing of raw conversation notes, credentials, customer data, or confidential project context. Treat webhooks, WebSockets, mesh communication, and bulk export as high-trust features that should be enabled only with clear tenant, retention, and access-control expectations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (27)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The file explicitly instructs the agent to write anything important to files 'obsessively' and frames persistent storage as mandatory. In a generic self-evolution framework, that encourages indiscriminate retention of operational context, which can easily include secrets, user data, internal system details, or regulated information without any minimization, consent, or retention controls.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The verification helper includes live network access via curl for deployment checks, which expands the skill from memory management into external interaction. That is risky because it can trigger unintended outbound requests, touch sensitive endpoints, or be repurposed to probe internal services if task inputs are not tightly controlled.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The checkpoint example explicitly stores 'need to add production keys' in persisted working memory, normalizing credential-related state in plain text logs. Even if it does not include the key material itself, this pattern encourages operators or agents to record sensitive deployment and secret-management context where it may later be exposed or resurfaced.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The status command prints the first 20 characters of the API key to stdout, which can leak a usable secret fragment into terminal logs, screenshots, shell history captures, or shared sessions. Even partial credential exposure materially weakens secret confidentiality and can aid token recovery, correlation, or operator impersonation depending on token format and surrounding leaks.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide mandates copying CONTEXT.md and daily notes to a remote AgentOS service on every heartbeat, but provides no filtering or sensitivity checks. Because those files may contain user prompts, secrets, internal notes, or regulated data, this creates a standing exfiltration path and expands retention of sensitive information.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The config example shows a live-style API key format and tells agents where credentials are stored, but gives no warning about secret handling, masking, or avoiding logging/transmission. In operational guides for agents, this omission increases the chance that keys get copied into notes, memory, activity logs, screenshots, or prompts.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation explicitly recommends storing relationship context, preferences, communication style, and past interactions for identifiable people, but provides no guidance on consent, minimization, retention, or access controls. In an agent memory system, this can normalize collection of sensitive personal data and lead to privacy violations, over-collection, or mishandling of regulated data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The webhook example shows full memory contents, including the `value` field, being transmitted to external servers, but does not warn that memories may contain sensitive or personal data. This can cause unintended data exfiltration to third-party infrastructure if users follow the example without filtering payloads or validating data sensitivity.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This section directs frequent persistence of task results, notes, current work, and pending work without any warning or controls for sensitive content. In practice, agents often include customer data, internal incident details, access paths, or security-relevant context in such summaries, making this an unsafe default.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill's activation scope is extremely broad: it invites use whenever the agent needs memory, project management, task tracking, communication, or self-evolution, which are common across many ordinary conversations. That increases the chance the skill is invoked in contexts where users did not explicitly consent to persistent storage, agent-to-agent messaging, or cloud synchronization, expanding the blast radius of all other risky behaviors in the file.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The document exposes a delete capability that creates tombstones and removes accessible data, but it provides no warning, confirmation requirement, or guidance to avoid accidental or unauthorized deletion. In an agent skill, documenting deletion as a routine operation without guardrails can lead an autonomous agent to erase important memory state based on ambiguous instructions or misclassification.

Missing User Warnings

High
Confidence
97% confidence
Finding
The mandatory heartbeat backup protocol instructs the agent to continuously update local context files and then sync broad session context and daily notes to AgentOS cloud storage. Because the instructions call for recording 'important conversation notes,' active tasks, and current session state on every heartbeat, the skill normalizes bulk persistence and external transfer of potentially sensitive user data without any privacy boundary, minimization rule, or consent check.

Missing User Warnings

High
Confidence
99% confidence
Finding
The SDK defaults to an HTTP base URL, causing API keys, agent identifiers, and memory contents to be transmitted without transport encryption. Anyone able to observe or tamper with network traffic could steal credentials, read sensitive agent memory, or alter requests and responses.

Missing User Warnings

High
Confidence
90% confidence
Finding
The bulk export helpers enable retrieval and transmission of large volumes of agent memory, including cross-agent export via dump-all, with minimal friction and no warning about sensitivity. In this skill context, the data includes reflections, mistakes, working memory, verifications, and mesh communications, so misuse or accidental invocation could expose substantial private operational data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation tells users to place a live API key in environment configuration but provides no guidance on secret handling, storage, rotation, or avoiding commits and logs. In an agent integration context, this is risky because these configs are often copied into shared repo files, deployment manifests, screenshots, or debugging output, increasing the chance of credential leakage and unauthorized access to the AgentOS backend.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide encourages recalling, storing, and syncing 'current priorities,' project context, mistakes, reflections, and per-person relationship data to a network service without warning that potentially sensitive organizational, personal, or proprietary information is being transmitted externally. This is more dangerous in agent tooling because the examples normalize broad automatic sync of memory and context, which can lead to unreviewed exfiltration of confidential data to the configured remote endpoint.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script persists self-reflection content to long-term storage and explicitly marks it searchable, but it does not warn the user that potentially sensitive accomplishments, challenges, and lessons will be retained and indexed. In a self-reflection context, users are especially likely to enter sensitive operational details, mistakes, incidents, or personal information, increasing the privacy and data-exposure risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The lesson text is persisted a second time via aos_learn without clearly informing the user that the same content may be stored separately and reused as learned knowledge. This secondary persistence broadens the data footprint and may cause sensitive information to be retained, surfaced later, or used in ways the user did not intend.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
This is a concrete secret disclosure: the status command exposes part of the bearer token without necessity or warning. CLI output is commonly captured by logs, terminals, support bundles, or other users on the same system, so revealing any token material increases credential exposure risk.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The manifest describes a very broad 'complete agent operations toolkit' spanning memory, communications, logging, projects, and self-evolution, but provides no clear activation boundaries, least-privilege constraints, or user-consent guardrails in the manifest. In an agent skill ecosystem, overly broad scope increases the chance the skill is invoked for unrelated tasks and gains access to sensitive workflows or data without the user understanding the full reach of the integration.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The manifest requires an API key and defines a default remote endpoint over plain HTTP to a hard-coded IP address, while describing features that involve memory, logging, agent communication, and synchronization. This creates a real risk of sensitive agent context, secrets, or operational data being transmitted to a remote service without adequate disclosure or transport security, enabling interception, unauthorized collection, or misuse.

Ssd 3

Medium
Confidence
97% confidence
Finding
This section makes broad context backup mandatory every 10 minutes and explicitly includes conversation notes, accomplishments, and active tasks, then syncs them to a cloud service. That operationalizes persistent collection of potentially sensitive user and system data without minimization, purpose limitation, or human review.

Ssd 3

Medium
Confidence
94% confidence
Finding
The 'write obsessively' / 'if you wouldn't remember it, write it down now' guidance encourages indiscriminate persistence rather than selective, policy-bound storage. In an agent operations context, that increases the probability of storing confidential prompts, access tokens, user data, or other sensitive artifacts in durable memory.

Ssd 3

Medium
Confidence
96% confidence
Finding
The instruction that anything not written to a file will be lost strongly pressures the agent to persist essentially all context, not just curated learnings. That creates a broad natural-language exfiltration and retention channel for sensitive information, especially in environments where tasks involve credentials, user data, or confidential business operations.

Ssd 3

Medium
Confidence
95% confidence
Finding
Saving progress after every task and checkpointing ongoing work creates a durable log of operational activity in plain language. Without strict content controls, those logs can accumulate sensitive data over time and become a high-value source of leakage when accessed by later sessions, other tools, or unauthorized readers.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal