Trust Assessment
agent-zero-bridge received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 14 findings: 9 critical, 4 high, 1 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Sensitive path access: AI agent config, Agent Zero can invoke arbitrary Clawdbot tools.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings14
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/dowingard/agent-zero-bridge/SKILL.md:34 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/dowingard/agent-zero-bridge/SKILL.md:38 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/dowingard/agent-zero-bridge/scripts/a0_client.js:35 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/dowingard/agent-zero-bridge/scripts/clawdbot_client.js:12 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/dowingard/agent-zero-bridge/scripts/clawdbot_client.js:30 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/dowingard/agent-zero-bridge/scripts/lib/config.js:28 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/dowingard/agent-zero-bridge/scripts/lib/config.js:37 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/dowingard/agent-zero-bridge/scripts/lib/config.js:38 | |
| CRITICAL | Agent Zero can invoke arbitrary Clawdbot tools The `clawdbot_client.js` script allows Agent Zero to invoke any Clawdbot tool with arbitrary JSON arguments. The `toolName` and `toolArgs` are taken directly from command-line arguments without validation and passed to the Clawdbot Gateway's `/tools/invoke` endpoint. This creates a direct bridge for Agent Zero (an LLM) to gain arbitrary execution capabilities within the Clawdbot environment, limited only by the tools available to Clawdbot and the permissions of the Clawdbot Gateway. If Clawdbot has tools for file system access, shell execution, or other sensitive operations, Agent Zero could be prompted to use them, leading to a severe security breach. Implement a whitelist of allowed tools and/or validate arguments for each tool within `clawdbot_client.js` before invoking them. Alternatively, ensure the Clawdbot Gateway itself enforces strict access control and validation for tool invocations, or that the `CLAWDBOT_API_TOKEN` used by Agent Zero has minimal necessary permissions. | LLM | scripts/clawdbot_client.js:70 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/dowingard/agent-zero-bridge/SKILL.md:24 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/dowingard/agent-zero-bridge/SKILL.md:27 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/dowingard/agent-zero-bridge/SKILL.md:56 | |
| HIGH | Arbitrary file read and exfiltration to Agent Zero The `a0_client.js` script allows attaching arbitrary files to messages sent to Agent Zero via the `--attach <path>` command-line option. The `filePath` is taken directly from user input (via `process.argv`) and `fs.readFileSync` is used to read its content, which is then base64 encoded and sent to Agent Zero. If a malicious prompt can trick Clawdbot into invoking `a0_client.js` with `--attach /etc/passwd`, `--attach /app/secrets.txt`, or other sensitive files, their content could be exfiltrated to Agent Zero, and potentially further to an attacker if Agent Zero's responses are accessible. Implement strict validation and sanitization of file paths provided via the `--attach` option. Consider restricting file attachments to a specific, non-sensitive directory or requiring explicit user confirmation for sensitive paths. If possible, avoid direct file path input from LLM-generated commands for file operations. | LLM | scripts/lib/a0_api.js:70 | |
| MEDIUM | Prompt injection risk in task breakdown The `task_breakdown.js` script constructs a prompt for Agent Zero using a user-provided `taskDescription` (from `process.argv`). Although the prompt attempts to constrain Agent Zero's output format, a sophisticated prompt injection attack within the `taskDescription` could potentially bypass these instructions and manipulate Agent Zero's behavior. While the immediate impact on Clawdbot's environment is limited to the content written to a markdown file, it represents a successful manipulation of the downstream LLM (Agent Zero), which could lead to unexpected or undesirable outputs. Implement robust input sanitization or a more resilient prompt engineering strategy (e.g., using XML tags or JSON structures for user input within the prompt) to better isolate user input from system instructions. Consider adding a human-in-the-loop review for critical tasks or outputs generated by Agent Zero based on user-provided task descriptions. | LLM | scripts/task_breakdown.js:40 |
Scan History
Embed Code
[](https://skillshield.io/report/435e5251a7e794bd)
Powered by SkillShield