Agent Zero Bridge
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: agent-zero-bridge Version: 1.0.0 This skill is classified as suspicious due to its broad capabilities that significantly expand the attack surface. It allows Agent Zero to invoke *any* Clawdbot tool via the `/tools/invoke` endpoint (`scripts/clawdbot_client.js`, `scripts/lib/clawdbot_api.js`), which could lead to arbitrary command execution or file system manipulation if Clawdbot exposes such tools. Additionally, the skill can read arbitrary local files (e.g., `--attach ./file.py` in `scripts/a0_client.js`, implemented in `scripts/lib/a0_api.js`) and send their base64-encoded content to Agent Zero, posing a risk of sensitive data exfiltration if misused. While these capabilities are presented as part of the legitimate function of a powerful AI bridge, they represent high-risk behaviors without explicit malicious intent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If Agent Zero is compromised, misprompted, or given an unsafe task, it may be able to trigger any Clawdbot tool available to the gateway, not just report progress or ask questions.
The bridge exposes a generic tool-invocation API where the tool name and arguments are passed through to Clawdbot without an allowlist, confirmation gate, or visible restriction to safe tools.
async invokeTool(tool, args = {}, sessionKey = "main") { ... const data = await this.request('/tools/invoke', 'POST', payload); }Limit the gateway token to specific low-risk tools if possible, add an allowlist in the bridge client, and require user approval before Agent Zero can invoke tools that modify files, accounts, sessions, or external systems.
The Agent Zero container receives credentials that can act through the Clawdbot gateway, which may exceed what users expect from a task-delegation bridge.
The setup copies the Clawdbot gateway token into the Agent Zero container, giving that autonomous environment delegated access to Clawdbot. The metadata declares no primary credential or required environment variables.
CLAWDBOT_API_TOKEN=your_gateway_token ... docker cp .env <container>:/a0/bridge/
Use a separate least-privilege gateway token for this bridge, rotate it if exposed, avoid sharing a main/admin token with Agent Zero, and document the exact permissions granted.
Clawdbot may treat Agent Zero output as if it were a user request, which can blur responsibility and make prompt-injection or unsafe delegated instructions harder to contain.
Messages from Agent Zero are forwarded into Clawdbot as user-role chat messages, distinguished only by a text prefix, with no stronger origin, trust, or instruction-boundary handling shown.
messages: [{ role: "user", content: options.prefix ? `${options.prefix}\n\n${message}` : message }]Treat all Agent Zero messages as untrusted delegated-agent content, keep a visible prefix, add policy checks before acting on them, and avoid enabling automatic tool execution from these messages.
Users may need to rely on external setup material or recreate configuration manually, and provenance is less clear than it would be with a declared source and complete packaged template.
The README references an external GitHub source and an `.env.example` file, while registry metadata lists source as unknown/homepage none and the provided manifest does not include `.env.example`.
git clone https://github.com/DOWingard/Clawdbot-Agent0-Bridge.git ... cp .env.example .env
Verify the repository and files before installing, and the publisher should declare the source URL and include the referenced `.env.example` template in the package.
Delegated work may continue for longer than a normal chat turn and may have its own environment and context.
The skill is explicitly designed to delegate long-running autonomous work to Agent Zero in a persistent Docker environment.
Long-running builds, tests, or infrastructure work ... Tasks needing persistent Docker execution environment
Use it only for tasks you intend to delegate, monitor Agent Zero progress, and know how to stop/reset the Agent Zero container and bridge context.