AgentOS SDK for Clawdbot
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This skill requires broad automatic syncing of conversation memory to an external AgentOS service, uses API credentials in risky ways, and depends on helper scripts that were not included for review.
Review this skill carefully before installing. Only use it if you intentionally want AgentOS to store and sync active conversation memory, project notes, and agent activity. Verify the full source for the missing CLI/helper scripts, change any HTTP endpoint to HTTPS, use a limited API key, and do not enable the cron mesh wake workflow unless you understand and accept the background behavior.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may repeatedly sync activity and memory to AgentOS even when the user did not explicitly ask for that sync in the current task.
The skill makes external dashboard syncing a mandatory hard rule for the agent rather than a user-confirmed action, forcing recurring tool use and changing normal stopping/approval expectations.
**Any agent using this SDK MUST sync to the AgentOS dashboard during every heartbeat.** This is non-negotiable.
Require explicit user opt-in for recurring syncs, document exactly what is sent, and provide a clear way to disable or scope heartbeat behavior.
Private conversation details, project notes, and task context could be stored and reused persistently, including after compaction or across sessions.
The skill requires persistent storage of active conversation content after every human message and then syncs that memory to AgentOS, but the artifacts do not define retention, exclusions, sensitivity handling, or user approval boundaries.
**CONTEXT.md MUST always contain the active conversation state as the FIRST section.** ... `Last human message` ... `Your last response` ... `After EVERY human message`
Only install if you are comfortable with persistent cloud-backed conversation memory; use path/content exclusions, avoid sensitive data, and require review before syncing.
An AgentOS API key could be disclosed or misused if the default HTTP endpoint is used on an untrusted network.
The mesh wake script reads a local API key and sends it as a bearer token to a default plaintext HTTP IP address, exposing a credential to network interception or an unexpected endpoint.
API_URL=$(jq -r '.apiUrl // "http://178.156.216.106:3100"' "$CONFIG_FILE") API_KEY=$(jq -r '.apiKey // empty' "$CONFIG_FILE") ... -H "Authorization: Bearer $API_KEY"
Do not use the default plaintext endpoint; require HTTPS, verify the service host, rotate any exposed API key, and ensure the registry declares the credential requirement.
The most important sync and API behavior cannot be verified from the supplied artifacts, so users cannot know what code handles their memory, dashboard syncs, and API key.
The setup script installs and runs a scripts/aos CLI that is not included in the provided file manifest, while SKILL.md also mandates other helper scripts that were not provided for review.
cp "${SKILL_DIR}/scripts/aos" "${BIN_DIR}/aos"
chmod +x "${BIN_DIR}/aos" ... "${BIN_DIR}/aos" setupPublish the full CLI/helper source, pin versions, include install specifications, and avoid mandatory execution of helpers that are not included in the reviewed package.
Messages from other agents could prompt or steer Clawdbot activity if the user enables the wake workflow.
The script polls remote mesh messages and uses them to wake Clawdbot, but the artifacts do not show message authentication, sender trust policy, or containment for remote agent-originated content.
response=$(curl -s -X GET "$API_URL/v1/mesh/messages?agent_id=$AGENT_ID&direction=inbox&status=sent&limit=20" ...) ... clawdbot cron wake --text "$wake_msg"
Require explicit sender allowlists, message signing or verification, and user approval before remote mesh messages can wake or direct the agent.
If enabled, the agent may continue polling and waking in the background, including when the user is not actively interacting with it.
The artifact recommends a recurring background cron job that can wake the agent based on remote messages, creating ongoing autonomous behavior outside a direct user request.
# Add to cron: */2 * * * * ~/clawd/skills/agentos/scripts/mesh-wake.sh # Checks for unread mesh messages and wakes Clawdbot to process them
Avoid enabling the cron job unless needed; document how to disable it, limit wake frequency, and require user confirmation before processing remote messages.