Trust Assessment
agentos received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 11 findings: 3 critical, 2 high, 5 medium, and 1 low severity. Key findings include Persistence / self-modification instructions, Network egress to untrusted endpoints, Missing required field: name.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 10/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings11
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/agentossoftware/agentos/scripts/setup.sh:59 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/agentossoftware/agentos/SKILL.md:287 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/agentossoftware/agentos/scripts/mesh-wake.sh:17 | |
| HIGH | Command Injection via untrusted mesh message content in wake-up script The `scripts/mesh-wake.sh` script constructs a `wake_msg` by embedding `from_agent` and `topic` fields from incoming mesh messages. This `wake_msg` is then passed as an argument to `clawdbot cron wake --text`. If an attacker sends a mesh message where `from_agent` or `topic` contains shell metacharacters (e.g., `$(malicious_command)`), these could be executed on the host system when the `clawdbot` command is run, leading to arbitrary command execution. Sanitize or properly escape `from_agent` and `topic` variables before embedding them into `wake_msg`. For shell commands, use `printf %q` or ensure the arguments are passed in a way that prevents shell interpretation. | LLM | scripts/mesh-wake.sh:38 | |
| HIGH | Broad data exfiltration capability via 'aos dump-all' API endpoint The skill documentation explicitly mentions an API endpoint `/v1/dump-all` with the description "Bulk fetch ALL memories". This capability, if exposed to a compromised agent or if the agent is tricked into invoking it, allows for the exfiltration of the entire memory store. While intended functionality, the "ALL memories" scope is excessively broad and presents a significant risk for mass data exfiltration. Implement granular access controls for memory access. Avoid a single "dump-all" endpoint. Instead, require specific memory paths or categories for bulk operations. If "dump-all" is absolutely necessary, it should require elevated permissions, multi-factor authentication, or human approval, and its use should be heavily logged and audited. | LLM | SKILL.md:248 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/agentossoftware/agentos/SKILL.md:1 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/agentossoftware/agentos/scripts/mesh-wake.sh:8 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/agentossoftware/agentos/scripts/setup.sh:14 | |
| MEDIUM | Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/agentossoftware/agentos/scripts/setup.sh:59 | |
| MEDIUM | Broad filesystem synchronization scope configured The `~/.agentos.json` configuration includes `"~/clawd/memory/"` in its `syncPaths`. This broad directory path means that any file or subdirectory within `~/clawd/memory/` will be synchronized to the AgentOS cloud. This increases the attack surface for data exfiltration, as sensitive files accidentally placed or created within this directory could be synced without explicit intent. Restrict `syncPaths` to only explicitly required files or subdirectories. Avoid syncing entire broad directories unless absolutely necessary and with full understanding of all contents. Implement a whitelist approach for synced files. | LLM | SKILL.md:204 | |
| LOW | Hardcoded IP address for API endpoint in configuration The `apiUrl` in the `~/.agentos.json` configuration defaults to a hardcoded IP address (`http://178.156.216.106:3100`). Relying on a hardcoded IP address for an external API introduces a supply chain risk. If this IP address is ever re-assigned, compromised, or taken over by a malicious entity, the agent could unknowingly connect to a hostile server, leading to data interception, manipulation, or exfiltration. Using a domain name with proper TLS certificate validation is generally more secure. Replace the hardcoded IP address with a fully qualified domain name (FQDN). Ensure that the client (the agent's underlying system) performs proper TLS certificate validation when connecting to the API endpoint to prevent man-in-the-middle attacks. | LLM | SKILL.md:201 |
Scan History
Embed Code
[](https://skillshield.io/report/9a7af5708a274ec4)
Powered by SkillShield