Security Audit

agentos-mesh

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CRITICAL

Scanned 3 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

agentos-mesh received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 8 findings: 3 critical, 0 high, 4 medium, and 1 low severity. Key findings include Persistence / self-modification instructions, Network egress to untrusted endpoints, Missing required field: name.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 40/100, indicating areas for improvement.

Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

40%

Static Code Analysis

72%

Dependency Graph

100%

LLM Behavioral Safety

68%

Behavioral Risk Signals

Network Access

2 findings

Filesystem Write

3 findings

Shell Execution

6 findings

Dynamic Code

1 finding

Excessive Permissions

2 findings

Security Findings8

Severity	Finding	Layer	Location
CRITICAL	Persistence / self-modification instructions Shell RC file modification for persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles.	Manifest	skills/agentossoftware/agentos-mesh/scripts/install.sh:64
CRITICAL	Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains.	Manifest	skills/agentossoftware/agentos-mesh/scripts/mesh.sh:13
CRITICAL	Command Injection via Unescaped User Input in curl -d The `cmd_send` and `cmd_task` functions in `scripts/mesh.sh` construct `curl` commands by directly interpolating user-provided arguments (`to_agent`, `topic`, `body`, `title`, `description`) into the JSON payload for the `-d` (data) option. If these arguments contain double quotes (`"`) or backslashes (`\`), an attacker can break out of the JSON string and inject arbitrary `curl` arguments, leading to command injection. This could allow for data exfiltration (e.g., reading local files), arbitrary network requests, or other malicious actions. All user-controlled inputs (`to_agent`, `topic`, `body`, `title`, `description`) must be properly JSON-escaped before being interpolated into the `curl -d` payload. This can be achieved by using `jq` to construct the JSON object safely, e.g., `jq -n --arg from "$AGENT_ID" --arg to "$to_agent" ... '{from_agent: $from, to_agent: $to, ...}'` and then passing the output of `jq` to `curl -d @-`.	LLM	scripts/mesh.sh:70
MEDIUM	Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter.	Static	skills/agentossoftware/agentos-mesh/SKILL.md:1
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/agentossoftware/agentos-mesh/scripts/install.sh:14
MEDIUM	Persistence mechanism: Shell RC file modification Detected Shell RC file modification pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration.	Static	skills/agentossoftware/agentos-mesh/scripts/install.sh:64
MEDIUM	Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated.	Static	skills/agentossoftware/agentos-mesh/scripts/mesh.sh:18
LOW	Partial API Key Exposure in Status Output The `cmd_status` function in `scripts/mesh.sh` prints the first 20 characters of the `AGENTOS_KEY` to standard output. While truncated, this still exposes a portion of a sensitive credential. If the output of `mesh status` is logged or visible to other users/processes, this partial key could potentially aid in brute-force attacks or provide information to an attacker. Avoid printing any part of sensitive credentials to standard output or logs. If debugging requires confirmation of key presence, a simple 'API Key: [Configured]' or similar non-revealing message should be used instead.	LLM	scripts/mesh.sh:204

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/04aa67bad81016e6.svg)](https://skillshield.io/report/04aa67bad81016e6)