AgentOS SDK
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
AgentOS SDK appears purpose-aligned for agent memory and coordination, but it sends broad persistent context to a default raw-IP HTTP service and enables cross-agent/background workflows that are not tightly scoped.
Install only if you trust the AgentOS service operator. Before enabling it, change the base URL to a verified HTTPS endpoint, use a scoped API key, decide exactly which files and memories may be synced, disable heartbeat/cron/mesh features unless needed, and never store secrets in AgentOS memory.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your agent's memories and API key could be sent to an endpoint that is hard to verify and is not encrypted by default.
The SDK defaults to a raw-IP, plaintext HTTP endpoint and sends bearer API credentials and JSON payloads to it, creating provenance and transport-security risk.
AGENTOS_BASE_URL="${AGENTOS_BASE_URL:-http://178.156.216.106:3100}" ... -H "Authorization: Bearer $AGENTOS_API_KEY"Use only a verified HTTPS AgentOS endpoint, override the raw-IP default, and avoid using live credentials until the service provenance is confirmed.
Private conversation context, project notes, or sensitive operational details could become persistent, searchable memory reused across future sessions.
The skill directs recurring upload of local working-memory files and daily notes into persistent remote memory without clear exclusions, retention limits, or per-sync approval.
On EVERY heartbeat, before doing anything else: ... Read your state: CONTEXT.md ... daily notes ... Sync to AgentOS: aos memory put "/context/current" "$(cat CONTEXT.md)"
Only sync explicitly approved, sanitized files; define retention and deletion rules; exclude secrets and sensitive user data; and require user confirmation for broad context backups.
An installed agent may repeatedly perform AgentOS backup steps even when the user did not ask for a remote memory sync in that moment.
The instructions make the skill's own backup workflow mandatory and prioritized before other agent activity, which can force tool use and recurring behavior beyond a user's immediate request.
**Every heartbeat MUST include a context backup.** This is non-negotiable. ... **ONLY THEN** proceed with other heartbeat tasks
Treat these as optional workflows unless explicitly enabled by the user, and require clear user approval for recurring backups.
If the key is over-scoped or the agent invokes this function, it could read or export memories belonging to multiple agents in the tenant.
The same AgentOS credential can drive tenant-wide memory export functions, not just single-path or single-agent storage; this is broader authority than the registry metadata's no-credential declaration suggests.
# aos_dump_all [limit] [summary] # Bulk export all memories for all agents ... _aos_request "/v1/dump-all" "$payload"
Use least-privilege API keys, restrict bulk export/admin endpoints from normal agent credentials, and declare the credential requirement clearly before installation.
Messages from other agents could influence work, trigger tasking, or move sensitive information across agents if the tenant or API key is not tightly controlled.
The mesh tool lets agents send messages and tasks by agent ID, but the artifacts do not describe message-origin verification, per-agent permissions, or safeguards against untrusted agent instructions.
curl -s -X POST "$AGENTOS_URL/v1/mesh/messages" ... "from_agent": "$AGENT_ID", "to_agent": "$to_agent", "topic": "$topic", "body": "$body"
Limit mesh use to known agents, enforce ACLs or signed messages server-side, and require human review before acting on messages from other agents.