ClawHub

Agent Zero Bridge

Security checks across malware telemetry and agentic risk

Overview

This bridge does what it claims, but it gives Agent Zero broad token-backed access to Clawdbot and local files without enough scoping or safety warnings.

Install only if you specifically need Agent Zero to call back into Clawdbot. Keep the gateway off public or shared networks, prefer localhost or a private Docker network over 0.0.0.0, use a dedicated low-privilege token if available, review every file before using --attach, avoid sending secrets or regulated data in prompts, and reset Agent Zero context between unrelated tasks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The setup instructs users to bind the Clawdbot gateway to 0.0.0.0, making it reachable on all interfaces rather than only localhost. For a bridge that handles tokens and can relay tool/chat actions, broader exposure increases the chance of unauthorized access from the local network or any forwarded interface if token handling is weak or misconfigured.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README promotes a bidirectional bridge between two API-connected agents and includes installation and usage guidance, but it does not warn users that prompts, code, attachments, and progress messages may be transmitted to another service. In a tool explicitly designed for delegation and file exchange, this omission can cause users to unknowingly send sensitive data to external systems, creating confidentiality and compliance risk.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The instructions tell users to expose the gateway on all interfaces without a clear warning that this increases the attack surface of a service capable of receiving requests and invoking agent functionality. In practice, users may copy the configuration verbatim, unintentionally publishing a sensitive local control plane to other devices on the network.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The client reads arbitrary local files from paths supplied in options.attach, base64-encodes them, and sends them to a remote API endpoint without any built-in confirmation, allowlisting, or visibility controls in this library layer. In the context of an autonomous delegation skill, this increases the chance that sensitive workspace files, keys, or system files are exfiltrated to the external Agent Zero service through higher-level prompts or agent actions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script sends the full user-supplied task description to an external Agent Zero service via client.sendMessage without any explicit notice, consent, or redaction step. Task descriptions for coding or research delegation can easily contain proprietary source details, credentials, internal architecture, customer data, or other sensitive material, so silent exfiltration to a third-party service creates a real confidentiality and compliance risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal