Agent Zero Bridge

If Agent Zero is compromised, misprompted, or given an unsafe task, it may be able to trigger any Clawdbot tool available to the gateway, not just report progress or ask questions.

The bridge exposes a generic tool-invocation API where the tool name and arguments are passed through to Clawdbot without an allowlist, confirmation gate, or visible restriction to safe tools.

The Agent Zero container receives credentials that can act through the Clawdbot gateway, which may exceed what users expect from a task-delegation bridge.

The setup copies the Clawdbot gateway token into the Agent Zero container, giving that autonomous environment delegated access to Clawdbot. The metadata declares no primary credential or required environment variables.

Clawdbot may treat Agent Zero output as if it were a user request, which can blur responsibility and make prompt-injection or unsafe delegated instructions harder to contain.

Messages from Agent Zero are forwarded into Clawdbot as user-role chat messages, distinguished only by a text prefix, with no stronger origin, trust, or instruction-boundary handling shown.

Users may need to rely on external setup material or recreate configuration manually, and provenance is less clear than it would be with a declared source and complete packaged template.

The README references an external GitHub source and an `.env.example` file, while registry metadata lists source as unknown/homepage none and the provided manifest does not include `.env.example`.

Delegated work may continue for longer than a normal chat turn and may have its own environment and context.

The skill is explicitly designed to delegate long-running autonomous work to Agent Zero in a persistent Docker environment.