Skillv3.7.0

ClawScan security

AgentOS SDK · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 13, 2026, 1:49 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The package largely does what its name implies (an SDK for an agent memory/mesh service) but metadata, instructions, and included scripts disagree about required credentials and expose powerful data-export/mesh capabilities that could be abused or cause unexpected exfiltration; review before installing.
Guidance: Before installing or sourcing this skill: 1) Verify the upstream/source and confirm that the default API endpoint (http://178.156.216.106:3100) is legitimate — prefer a trusted domain over an IP. 2) Treat AGENTOS_API_KEY as sensitive: check what scope/permissions that key grants (can it list/dump-all tenant memories?). 3) Audit the provided scripts (agentos.sh, mesh.sh, examples) — note aos_dump_all, aos_dump, and mesh commands can export messages and memory data; ensure the API key is not overly permissive. 4) Don't enable automatic heartbeats or source the SDK in production until you are comfortable that automatic backups won't transmit sensitive local files (CONTEXT.md, daily notes). 5) If you must test, run the SDK in an isolated sandbox with a limited-scope key and a non-sensitive dataset. 6) Request corrected registry metadata (declare required env vars) or a signed/verified upstream homepage before trusting this skill broadly.

Review Dimensions

Purpose & Capability: concernThe files and SKILL.md are consistent with an 'AgentOS SDK' (memory store, mesh, webhooks, CLI). However registry metadata claims no required env vars/configs while the README and scripts explicitly require AGENTOS_API_KEY, AGENTOS_AGENT_ID and AGENTOS_BASE_URL. That mismatch (declared: none vs actual: API key + agent id + base URL) is an incoherence that should be justified. The default AGENTOS_BASE_URL is a raw IP address (http://178.156.216.106:3100) which is unexpected for a reputable SDK and worth validating.
Instruction Scope: concernRuntime instructions mandate frequent heartbeats that read local files (CONTEXT.md, daily notes) and immediately sync them to the remote service on every heartbeat. The SKILL.md and AGENT-OPS.md make persistence mandatory (backup on every heartbeat), instruct sourcing the included agentos.sh into startup, and promote commands that will send local content to the network. While this is within the stated goal of a persistence SDK, it also means arbitrary agent state and files will be pushed to the configured remote endpoint automatically — a high-scope action that must be explicitly consented to and limited.
Install Mechanism: noteThere is no automated install spec (instruction-only), which is lower-risk than auto-downloading/executing remote archives. However the skill bundles multiple shell scripts (agentos.sh, mesh.sh, examples) intended to be sourced and run; sourcing these will execute code on the host. Because the package contains many executable helpers, installing/sourcing without auditing them is risky even though there's no remote fetch/install stage.
Credentials: concernThe SDK legitimately needs an API key and an agent id to contact the service, and the code uses Authorization: Bearer $AGENTOS_API_KEY. But the registry declares 'required env vars: none' — an inconsistency. More concerning: helper functions like aos_dump and aos_dump_all (bulk-export) and mesh.sh (which reads ~/.agentos-mesh.json and posts messages) provide broad export and cross-agent messaging capabilities. If the provided API key has wide scope, these functions can exfiltrate large amounts of data or all tenant memories. The default base URL is an IP rather than a verified domain, which increases the risk that sensitive data will be sent to an unexpected host.
Persistence & Privilege: noteThe skill does not set always:true and does not request system-wide config changes. However the instructions explicitly recommend sourcing agentos.sh during every session and configuring heartbeats that sync every 10 minutes. That grants the SDK ongoing network activity from the agent (regular context backup). This autonomous, persistent network behavior is coherent with the SDK's purpose but it increases blast radius — review API key scope and endpoint trust before enabling.