Trust Assessment
agentos-sdk received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 10 findings: 4 critical, 2 high, 4 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Missing required field: name, Sensitive environment variable access: $HOME.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings10
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/agentossoftware/agentos-sdk/skill.json:40 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/agentossoftware/agentos-sdk/agentos.sh:7 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/agentossoftware/agentos-sdk/agentos.sh:21 | |
| CRITICAL | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/agentossoftware/agentos-sdk/scripts/mesh.sh:13 | |
| HIGH | Hardcoded IP address for API endpoint creates single point of failure and exfiltration risk Both `scripts/mesh.sh` and `agentos.sh` use `http://178.156.216.106:3100` as the default `AGENTOS_BASE_URL`. All API requests, including those containing the `AGENTOS_API_KEY` and potentially sensitive memory/message content, are directed to this hardcoded IP address. If this specific IP address is ever compromised, taken over, or if the service running on it becomes malicious, all data sent by agents using this default configuration could be exfiltrated to an attacker. While the `AGENTOS_BASE_URL` can be overridden, the default presents a significant risk. Replace the hardcoded IP address with a domain name (e.g., `https://api.agentos.software`). This allows for easier updates via DNS, enables the use of TLS certificates for secure communication, and provides a more robust and trustworthy endpoint. If an IP must be used, ensure it is under strict control and consider implementing additional security measures like IP whitelisting or mutual TLS. | LLM | SKILL.md:40 | |
| HIGH | API Key sent to potentially compromised hardcoded IP address The `AGENTOS_API_KEY` is sent as an Authorization header with every API request to the `AGENTOS_BASE_URL`. As identified, the default `AGENTOS_BASE_URL` is a hardcoded IP address (`http://178.156.216.106:3100`). If this endpoint is compromised or controlled by an adversary, the `AGENTOS_API_KEY` (a sensitive credential) would be directly harvested by the attacker, granting them unauthorized access to the agent's data and functionality. As a primary remediation, replace the hardcoded IP address with a domain name for `AGENTOS_BASE_URL` to enable TLS and better endpoint management. Additionally, implement API key rotation, restrict API key permissions to the minimum necessary, and consider using more secure authentication mechanisms like OAuth tokens with shorter lifespans if available. | LLM | scripts/mesh.sh:51 | |
| MEDIUM | Missing required field: name The 'name' field is required for openclaw skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/agentossoftware/agentos-sdk/SKILL.md:1 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/agentossoftware/agentos-sdk/agentos.sh:441 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/agentossoftware/agentos-sdk/scripts/mesh.sh:18 | |
| MEDIUM | JSON Injection via unescaped user input in shell script The `scripts/mesh.sh` script constructs JSON payloads for `curl -d` by directly concatenating user-supplied arguments (`to_agent`, `topic`, `body`, `assigned_to`, `title`, `description`) into a JSON string. This allows an attacker to inject arbitrary JSON key-value pairs into the request body by crafting input containing double quotes. While not a direct shell command injection, it can lead to unexpected API behavior, data corruption, or bypass of API-side validation if the backend does not strictly validate the payload structure. Use `jq` with `--arg` and `--argjson` flags to safely construct JSON payloads from user input. This ensures that all string arguments are properly escaped before being embedded into the JSON. For example, replace direct string concatenation with `payload=$(jq -n --arg from_agent "$AGENT_ID" --arg to_agent "$to_agent" ... '{from_agent: $from_agent, ...}')` and then pass `"$payload"` to `curl -d`. | LLM | scripts/mesh.sh:50 |
Scan History
Embed Code
[](https://skillshield.io/report/3bb9ecb141e33ea1)
Powered by SkillShield